• Manuals

Browse the manual

• Introduction
  • System requirements
  • Licensing
  • CLC Genomics Server
• Installation
  • Quick installation guide
  • Installing and running the Server
    • Installing the Server software
  • Installation modes - console and silent
  • Upgrading an existing installation
    • Upgrading between major versions
  • Allowing access through your firewall
  • Downloading a license
    • Download a static license on a non-networked machine
  • Starting and stopping the server
    • Microsoft Windows
    • macOS
    • Linux
• Basic configuration
  • Logging into the administrative interface
  • Server display name
  • Adding locations for saving data
    • CLC Server File System Locations
    • Reference data management
    • Enabling and disabling internal compression of CLC data
  • Changing the listening port
  • SSL and encryption
    • Client-server encrypted communication
    • Logging in using SSL from a CLC Workbench
    • Logging in using SSL from the CLC Server Command Line Tools
    • Master-job node encrypted communication
    • Master-grid node encrypted communication
  • Changing the tmp directory
    • Job node setup
  • Setting the amount of memory available for the JVM
  • Limiting the number of cpus available for use
  • HTTP settings
  • External network connections
  • Proxy settings
• Searching the web client
• Managing users and groups
  • Changing the root password
  • User authentication for the CLC Server
    • Giving users administration rights
    • LDAP directory
    • Active Directory
    • Built-in authentication
• Access privileges and permissions
  • Controlling group access to CLC Server data
    • Setting permissions on folders
    • Technical notes about permissions and security
  • Controlling access to the server, server tasks and external data
• Job processing
  • Introduction to servers setups
  • Model I: Master server with dedicated job nodes
    • Overview: Model I
    • User credentials on a master-job node setup
    • Configuring a job node setup
    • Installing Server plugins on job nodes
  • Model II: Master server submitting to grid nodes
    • Overview: Model II
    • Requirements for CLC Grid Integration
    • Technical overview
    • Setting up the grid integration
    • Configuring the master node for a grid setup
    • Licensing of grid workers
    • Configuring licenses as a consumable resource
    • Configuring grid presets
    • Controlling the number of cores utilized
    • Multi-job processing on grid
    • Other grid worker options
    • Testing a Grid Preset
    • Client-side: submitting CLC jobs to the grid
    • Grid Integration Tips
    • Understanding memory settings
  • Model III: Single Server setup
  • Workflow settings
    • Workflow distribution options
    • Choosing a workflow distribution option
    • Intermediate workflow result handling
• Working with external data locations
  • Import/export directories
  • Direct data transfer from client systems
  • AWS Connections in the CLC Server
  • AWS S3 public buckets
  • Browse AWS S3 locations
  • Illumina BaseSpace
• Working with CLC Server File System Locations
  • Browsing CLC Server File System Locations
  • Searching CLC Server File System Locations
• Workflows
  • Installing and configuring workflows
  • Executing workflows
  • Updating workflows
  • Reference data in server workflows
• BLAST databases
• Status and management
  • Downloading a license via the web interface
  • Server maintenance
  • User statistics
  • System statistics
• Queue
• Audit log
• Server plugins
• External applications
  • External application configurations
    • Configuring the containerized execution environment
  • Configuring external applications
    • Editing external applications
    • External command
    • High-throughput sequencing import / Post-processing
    • Stream handling
    • Failure strategy
    • Environment
    • End user interface
    • Management
  • Using consistent reference data in external applications
  • Import and export of external application configurations
  • Updating external application configurations
  • Example: Velvet (standard external application)
    • Installing Velvet
    • Running Velvet from the Workbench
    • Understanding the Velvet configuration
  • Example: Bowtie (standard external application)
    • Installing Bowtie
    • Understanding the Bowtie Map configuration
    • Tools for building index files
  • Example: Kraken2 (containerized external application)
    • Extending the Kraken2 external application for paired data
  • Example: MAFFT (containerized external application)
  • External applications in workflows
  • Running external applications
    • Using a CLC Workbench to launch external applications
    • Using CLC Server Command Line Tools to launch external applications
  • Troubleshooting external applications
• CLC Genomics Cloud Access
• Recycle bins
  • Automatic cleanup of recycle bins
  • Emptying and restoring data from recycle bins
  • Recycle bin restrictions
• Configuring CLC Workbench connections
• Troubleshooting
  • Check setup
  • Bug reporting
• Command line tools
• Analysis automation
• Appendix
  • Use of multi-core computers
  • Non-exclusive Algorithms
  • DRMAA libraries
    • DRMAA for SLURM
    • DRMAA for LSF
    • DRMAA for PBS Pro
    • DRMAA for OGE or SGE
  • Consumable Resources
  • Server system communication diagrams
  • Third party libraries
  • Read Mapper Reference Caching
  • Controlling access to the CLC Server, data and execution environments
  • Monitoring
    • Setting up JMX monitoring
    • Completed process metrics
    • Process execution metrics
    • Job node metrics
• Bibliography

Controlling access to the CLC Server, data and execution environments

This section describes recommended practices for configuring a CLC Genomics Server environment with strictly controlled access to server functionality, to data stored in CLC Server File System Locations and to files stored in external areas available via the CLC Server, and to execution environments external to the CLC Server. These recommendations refer to settings configured on a single server installation or on the master node in a multi-node setup.

The information and recommendations below assume that the actions listed in the Quick installation guide have already been carried out, and assume that the CLC Server is configured to use LDAP or Active Directory for authentication.

It is recommended that after authentication has been configured, all further configuration steps are carried out while the CLC Server is in Maintenance Mode so that non-administrative users cannot log in during this period.

CLC Server access

Access to the CLC Genomics Server should be explicitly configured. This is done using settings under the Global permissions tab of the web client:

• Client access Access to client software should be limited to just those requiring the functionality offered via that client software.

  Some considerations:

  • Web client Typically restricted to administrators. Users of the CLC Server Command Line Tools may also benefit from access to the web client for swiftly determining URLs for CLC and external data.

    Via the web client, any user can move data they have access to in CLC Server File System Locations to their own recycle bins. This is described in more detail in the CLC data deletion section below.

  • CLC Workbench Typically, all users carrying out analysis tasks on the CLC Server would be granted access.

  • CLC Server Command Line Tools (CLT) Typically restricted to administrators and power users, for example, bioinformaticians who wish to launch CLC jobs via scripts.

• Login restrictions This setting can be left as the default, "All authorized users", as long as client access has been controlled (described above). If restrictions are configured, ensure that the CLC Genomics Server process owner has access.

CLC data access

By default, any user with access to the CLC Server can access data stored in any CLC Server File System Location.

To limit access, the following two steps must be taken for each CLC Server File System Location:

1.  Enable permissions on the File System Location.
2.  Specify access to areas in Locations where group level permissions have been enabled.

Note: While default data deletion rules are more stringent for a CLC Server File System Location named CLC_References, it is still recommended that group permissions be explicitly set on this Location, if it exists.

CLC data deletion

Deleting data from CLC Server File System Locations involves two steps:

1. Moving data to a recycle bin. Data is not removed from the system taking this action. Data in recycle bins can be restored.
2. Emptying the recycle bin. This action deletes the data from the disk. By default, all users can empty their own recycle bins. On controlled setups, this action should be be restricted to just administrators.

Client software differences relating to recycle bins:

• Web client If a user has access to the web client, they will be able to move data they have access to to their own recycle bins.
• CLC Workbench clients By default, users can move data they have access to in CLC Server File System Locations to their own recycle bins. This can be restricted by applying the workbench_save_to_server policy with the value set to deny. For a Workbench with this policy, no action can be taken directly in the Workbench on CLC Server File System Locations, including moving data into a recycle bin or emptying a recycle bin.
• CLC Server Command Line Tools By default, commands for moving data to recycle bins and deleting the contents of recycle bins are executable only by members of the admin group.

External data access

The CLC Server can be configured to allow access to data areas external to it and to its File System Locations. By default, all users can access files located in such external areas. Access restrictions should be explicitly configured.

External data areas that may be configured for a given CLC Server are:

• Import/export directories Setting permissions on these:
  • Defines the groups that can select data for import from an import/export directory.
  • Defines the groups that can export to an import/export directory.
  • Defines the groups offered BLAST databases stored in that import/export directory when launching BLAST jobs if the directory is also configured as a BLAST database location.

• AWS Connections Users in groups with permission to use an AWS Connection can access S3 buckets available via the AWS account configured in that Connection. To allow access to S3 buckets, but restrict the ability to run on a CLC Genomics Cloud setup, configure permissions for the relevant Cloud presets, (described below).

• AWS public S3 buckets

• Illumina BaseSpace Only available when using a CLC Genomics Workbench client. Users will be prompted to log into the Illumina website in a browser window if they chose BaseSpace as the data source in an import tool. To block access, ensure that machines running the client software cannot access *basespace.illumina.com.

Direct data transfer

For controlled environments, it is expected that data should only be imported from external locations known to the CLC Server (e.g. import/export directories).

By default, direct data transfer is not enabled. Keeping this default setting is recommended. When direct data transfer is not enabled, files and data local to the system running a CLC Workbench or the CLC Server Command Line Tools cannot be transferred directly to the CLC Server.

Important notes:

• Permissions set on import/export directories do not restrict use of an import/export directory for the purposes of direct data transfer.
• On job node setups, direct data transfer is needed for maintenance tasks. It is recommended that on such setups, the server be put in maintenance mode, and after all non-administrative users have logged out, direct data transfer be enabled. After the maintenance tasks are complete, disable direct data transfer before returning the server to normal operation.

Access to external analysis infrastructure

By default, all users with access to the CLC Server using a CLC Workbench or the CLC Server Command Line Tools can launch analyses to run on external systems supported by the CLC Server. Access can be more finely controlled, if desired. Specifically:

• Grid presets Access to each grid preset can be limited to specified groups.

• Cloud presets Access to each cloud preset can be limited to specified groups.

Encrypted communication

Encrypted communication between the CLC Server and client software should be used.

Certificates should be added, and settings updated as needed. Refer to the SSL and encryption section of the manual for details. Encryption of traffice between the master server and execution nodes is also described in that section.

Note: The encrypted communication between clients and the server supported out of the box uses a self-signed certificate, and by default, unencrypted connections will still be accepted.

---