SECPACKAGE System Option

Identifies the security package that the IOM server uses to authenticate incoming client connections.
Valid in: configuration file, SAS invocation, metadata
Categories: Environment control: Initialization and operation
System Administration: Security
PROC OPTIONS GROUP= EXECMODES
SECURITY
Default: negotiate
Restriction: Windows operating environment only
See: SECPACKAGELIST System Option
SSPI System Option

Syntax

-secpackage "package-name" | " negotiate"

Syntax Description

"package-name"
specifies the security package that the IOM server should use to authenticate incoming client connections.
Enclose the security package name within double quotation marks (").
"negotiate"
(default) enables the server to present a set of valid security packages (through the SECPACKAGELIST system option) that the server uses to find a match with an incoming client connection. If the client specifies a security package in the list, then the server attempts to authenticate the client using the matched security package.
Enclose negotiate within double quotation marks (").

Details

The SECPACKAGE system option identifies the security package that the IOM server uses to authenticate incoming client connections.
Security packages are provided by vendors. Therefore, the package names are not validated against a list of names. Names need to be entered (casing and exact spelling) per instructions from the vendor.
When you specify -SECPACKAGE "negotiate", the IOM server uses the SECPACKAGELIST option to determine which package to use. SECPACKAGELIST specifies the names of the security packages that can be used by the server to authenticate incoming client connections. SECPACKAGE and SECPACKAGELIST are required to support single sign-on (SSO) to IOM servers. The client should initialize with a matching package name. Specifying an unknown package name (such as "disable") will effectively disable SSO.
In order to use SECPACKAGE, you must also specify SSPI.

Examples

Example 1

In the following example, the IOM server specifies either Kerberos or NTLM security for authenticating incoming client requests:
-sspi
-secpackage "negotiate"
-secpackagelist "Kerberos,NTLM"

Example 2

In the following example, the IOM server specifies Kerberos security only for authenticating incoming client requests:
-sspi
-secpackagelist "kerberos"
In the preceding example, SECPACKAGE does not have to be specified because it defaults to negotiate. The only protocol in the list to negotiate is Kerberos. Therefore, all clients that connect to the server must use Kerberos or fail the connection. It is important that the protocols of both the client and server match. The client is also forced to use Kerberos if the server displays only Kerberos in the package list.

Example 3

In the following example, the IOM server specifies NTLM security only for authenticating incoming client requests:
-sspi
-secpackagelist "ntlm"
In the preceding example, SECPACKAGE does not have to be specified because it defaults to negotiate. The only protocol in the list to negotiate is NTLM. Therefore, all clients that connect to the server must use NTLM or fail the connection. It is important that the protocols of both the client and server match. The client is also forced to use NTLM if the server displays only NTLM in the package list.

See Also

Other SAS Documents:
Configuration Guide for SAS Foundation for UNIX Environments