 |
|
| Setting Up Users, Groups, and Ports |
Designating Ports and Multicast Addresses
| About Ports and Multicast Addresses |
While you are creating operating system user accounts and groups, you need to review the set of ports that the SAS servers, third-party servers, and spawners in your system will use by default. If any of these ports is unavailable, select an alternate port, and record the new port on the following ports pre-installation checklists:
For third-party software ports, see Pre-installation Checklists for Third-Party Products.
You also need to plan for designating Internet Protocol (IP) multicast addresses for the all the machines in your SAS deployment. Multicasting simplifies the on-going management and deployment of SAS Web applications, by providing the flexibility to customize the SAS middle-tier, and to distribute SAS Web components to implement load balancing.
| Multicast Address Considerations |
The SAS Deployment Wizard prompts you to supply a multicast address for inter-machine communication. The wizard supplies you with a default multicast address that it generates based on the machine's IP address and the admin local scope that is recommended in RFC 3171 (IPv4) or RFC 4291 (IPv6).
A multicast group communications protocol is used to communicate among middle-tier SAS applications in a single SAS deployment (the set of applications connected to the same SAS Metadata Server). The combination of multicast IP address and multicast UDP port should be different for each SAS deployment and also different from those used by other multicast applications at your site.
The multicast group communication includes all information needed to bootstrap SAS middle-tier applications. Because this includes sending the SAS environment credentials (such as the sasadm account name and its password), scoping and encryption options are provided. The defaults are most appropriate for deployments in a firewall, isolated data center environment.
The IP multicast address must be valid for IP multicasting and should be in the range 224.0.0.0 to 239.255.255.255 for IPv4 or have the prefix ff00::/8. Typically, the chosen address will be in the admin-local scoped block which corresponds to 239/8 for IPv4 and ff14::/8 for IPv6. The sample address provided during configuration by the SAS Deployment Wizard conforms to these standards. The address should be unique to SAS applications for the subnet they are installed on.
The IP Multicast UDP port should be open and usable on any machine a middle-tier application is to be installed. This is a UDP port and does not conflict with any previous TCP port definitions such as the metadata server. The multicast group communication is intended to be used only within your data center environment. Many sites keep their data center network separated from end users via a firewall that will automatically isolate the multicast protocol. Alternatively, the time to live (TTL) parameter can be used to restrict the scope of multicast communication. Your network administrator can suggest a TTL setting to limit the scope of the multicast. The TTL option and the authentication token option both have security implications.
The multicast TTL property (default = 1) affects the number of network hops a multicast packet will take before being dropped. This TTL value must be greater than or equal to the largest number of hops between any two servers containing SAS products. In addition, some network router documentation recommends that multicast datagrams with initial TTL=0 are restricted to the same host, multicast datagrams with initial TTL=1 are restricted to the same subnet, and multicast datagrams with initial TTL=32 are restricted to the same site. Consult your network router documentation or your network administration staff to determine the correct values for your environment.
Note: You must make
sure that all of the machines in your SAS 9.2 deployment are members of the
same subnet, or be sure to set the default TTL value to a number higher than
1. The deployment wizard gives you the opportunity to set the TTL value during
SAS 9.2 deployment. For information about how to change these options after
deployment, see Administering Multicast Options in the
SAS Intelligence Platform: Web Application Administration Guide. ![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
Because the multicast protocol conveys credentials, it is protected via encryption. By default, group communication is protected only with a fixed encryption key that is built into the software. If your middle-tier is not running in an environment that is well-isolated from end-user access, then you might want better protection against eavesdroppers and unauthorized group participants. For such situations, choose a multicast authentication token known only to your SAS middle-tier administrative staff. The authentication token is a password-like string needed to connect to the group and create a site-specific encryption key.
The deployment wizard default simplifies configuration using the authentication token that is built into the software. This option is best used in development and other low-security environments. It might also be appropriate in higher-security environments where the multicast group communication is isolated from the end-user community, either via firewall or TTL option, and where all data center administrative and operations staff have sufficient security approval.
If your multicast group communication is not contained within an isolated data center environment, or if the security procedures at your site require protections among administrative and operational staff in various roles, you should specify an authentication token that is known only to the administrators of the SAS environment. The same token string must be supplied on each tier in the configuration.
By default, there is a code level authentication token shared between all SAS middle-tier applications to prevent access to the multicast group from unauthorized listeners. If you choose to use a customized authentication token, use the deployment wizard to enter an authentication token value that meets your organization's security guidelines. The authentication token can be any password-like string. In a multi-tier configuration, this prompt appears on each tier that has an application participating in the SAS multicast groups. You must provide the same authentication token string to each tier in the same SAS deployment (that is, each tier associated with the same metadata server).
For more information about configuring Web application servers to use with SAS 9.2, go to the Third-Party Software Downloads site at http://support.sas.com/resources/thirdpartysupport/v92 and search for the product name of your Web application server.
| Pre-installation Checklist for Ports for SAS |
The following checklist indicates what ports are used for SAS by default, and gives you a place to enter the port numbers that you will actually use.
Note: The SAS Deployment Wizard prompts you for this information, and
you cannot complete the installation without it.
On UNIX and z/OS, we recommend that you document each SAS port that you reserve in the following standard locations on each machine:
-
UNIX--/etc/services
-
z/OS--your TCP/IP PROFILE data set
On z/OS, the SAS servers are configured and initially started as TSO processes invoked from the USS shell using /bin/tso. When these servers are started under tso, the job name is the user ID that is starting the server with a character appended to the end. If your site makes use of the reserved ports facility in TCP/IP, each port definition should include the started task and this SAS installer ID job name as valid users of this port. You can use an asterisk (such as, sas*) in this definition.
On all operating systems, the last digit of the default port number reflects the configuration level that you select in the SAS Deployment Wizard. For example, when you select Lev1, the default port for the metadata server is 8561. If you choose another level, such as Lev2, the wizard changes the default port to 8562.
Note: These checklists are
superseded by more complete and up-to-date
checklists that can be found at http://support.sas.com/installcenter/plans. This Web site also contains a corresponding deployment plan
and an architectural diagram. If you are a SAS solutions customer, consult
the pre-installation checklist provided by your SAS representative for a complete
list of ports that you must designate.
| Server or Spawner | Default Port | Data Direction | Actual Port |
|---|---|---|---|
| E-mail server | 25 | Outbound |
|
| HTTP server | 80 | Inbound and outbound |
|
| HTTP server (secure port) | 443 | Inbound and outbound |
|
| SAS Table Server | 2171 | Inbound |
|
| SAS Remote Services application | 5091 | Inbound |
|
| SAS OLAP Server | 5451 | Inbound |
|
| Event Broker administration | 6051 | Inbound |
|
| SAS/CONNECT server and spawner | 7551 | Inbound and outbound |
|
| Web Report Studio IP Scheduling UDP Port 1 | 7570 | Inbound and outbound |
|
| Web Report Studio IP Scheduling UDP Port 2 | 7571 | Inbound and outbound |
|
| Web Report Studio IP Scheduling UDP Port 3 | 7572 | Inbound and outbound |
|
| Event Broker HTTP | 8111 | Inbound |
|
| Operating System Services scheduler | 8451 | Inbound |
|
| SAS/SHARE server | 8551 | Inbound |
|
| Multicast (UDP port) | 8561 | Inbound and outbound |
|
| SAS Metadata Server | 8561 | Inbound and outbound |
|
| SAS object spawner: operator port | 8581 | Inbound |
|
| SAS Workspace Server | 8591 | Inbound |
|
| Metadata utilities SAS Workspace Server1 | 8591 | Inbound |
|
| SAS Stored Process Server: bridge connection | 8601 | Inbound |
|
| SAS Stored Process Server: load balancing connection 1 (MultiBridge) | 8611 | Inbound |
|
| SAS Stored Process Server: load balancing connection 2 (MultiBridge) | 8621 | Inbound |
|
| SAS Stored Process Server: load balancing connection 3 (MultiBridge) | 8631 | Inbound |
|
| SAS Pooled Workspace Server | 8701 | Inbound |
|
| SAS object spawner: pooled workspace server port bank 1 | 8801 | Inbound |
|
| SAS object spawner: pooled workspace server port bank 2 | 8811 | Inbound |
|
| SAS object spawner: pooled workspace server port bank 3 | 8821 | Inbound |
|
| SAS Deployment Tester server | 10021 | Inbound |
|
| 1 In SAS 9.2, two or more workspace servers can share the same port even if they are running at the same time. | |||
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.