Designating Ports and Multicast Addresses

While you are creating operating system user accounts and groups, you need to review the set of ports that the SAS servers, third-party servers, and spawners in your system will use by default. If any of these ports is unavailable, select an alternate port, and record the new port on the following ports pre-installation checklists:

For third-party software ports, see Pre-installation Checklists for Third-Party Products.

You also need to plan for designating Internet Protocol (IP) multicast addresses for the all the machines in your SAS deployment. Multicasting simplifies the on-going management and deployment of SAS Web applications, by providing the flexibility to customize the SAS middle-tier, and to distribute SAS Web components to implement load balancing.

The SAS Deployment Wizard prompts you to supply a multicast address for inter-machine communication. The wizard supplies you with a default multicast address that it generates based on the machine's IP address and the admin local scope that is recommended in RFC 3171 (IPv4) or RFC 4291 (IPv6).

A multicast group communications protocol is used to communicate among middle-tier SAS applications in a single SAS deployment (the set of applications connected to the same SAS Metadata Server). The combination of multicast IP address and multicast UDP port should be different for each SAS deployment and also different from those used by other multicast applications at your site.

The multicast group communication includes all information needed to bootstrap SAS middle-tier applications. Because this includes sending the SAS environment credentials (such as the sasadm account name and its password), scoping and encryption options are provided. The defaults are most appropriate for deployments in a firewall, isolated data center environment.

The IP multicast address must be valid for IP multicasting and should be in the range 224.0.0.0 to 239.255.255.255 for IPv4 or have the prefix ff00::/8 for IPv6. Typically, the chosen address will be in the admin-local scoped block which corresponds to 239/8 for IPv4 and ff14::/8 for IPv6. The sample address provided during configuration by the SAS Deployment Wizard conforms to these standards. The address should be unique to SAS applications for the subnet that they are installed on.

The IP Multicast UDP port should be open and usable on any machine a middle-tier application is to be installed. This is a UDP port and does not conflict with any previous TCP port definitions such as the metadata server. The multicast group communication is intended to be used only within your data center environment. Many sites keep their data center network separated from end users via a firewall that will automatically isolate the multicast protocol. Alternatively, the time to live (TTL) parameter can be used to restrict the scope of multicast communication. Your network administrator can suggest a TTL setting to limit the scope of the multicast. The TTL option and the authentication token option both have security implications.

The multicast TTL property (default = 1, range = 0–255) affects the number of network hops a multicast packet will take before being dropped. This TTL value must be greater than or equal to the largest number of hops between any two servers containing SAS products. In addition, some network router documentation recommends that multicast datagrams with initial TTL=0 are restricted to the same host, multicast datagrams with initial TTL=1 are restricted to the same subnet, and multicast datagrams with initial TTL=32 are restricted to the same site. Consult your network router documentation or your network administration staff to determine the correct values for your environment.

Because the multicast protocol conveys credentials, it is protected via encryption. By default, group communication is protected only with a fixed encryption key that is built into the software. If your middle-tier is not running in an environment that is well-isolated from end-user access, then you might want better protection against eavesdroppers and unauthorized group participants. For such situations, choose a multicast authentication token known only to your SAS middle-tier administrative staff. The authentication token is a password-like string needed to connect to the group and create a site-specific encryption key.

The deployment wizard default simplifies configuration using the authentication token that is built into the software. This option is best used in development and other low-security environments. It might also be appropriate in higher-security environments where the multicast group communication is isolated from the end-user community, either via firewall or TTL option, and where all data center administrative and operations staff have sufficient security approval.

If your multicast group communication is not contained within an isolated data center environment, or if the security procedures at your site require protections among administrative and operational staff in various roles, you should specify an authentication token that is known only to the administrators of the SAS environment. The same token string must be supplied on each tier in the configuration.

By default, there is a code level authentication token shared between all SAS middle-tier applications to prevent access to the multicast group from unauthorized listeners. If you choose to use a customized authentication token, use the deployment wizard to enter an authentication token value that meets your organization's security guidelines. The authentication token can be any password-like string. In a multi-tier configuration, this prompt appears on each tier that has an application participating in the SAS multicast groups. You must provide the same authentication token string to each tier in the same SAS deployment (that is, each tier associated with the same metadata server).

For more information about configuring Web application servers to use with SAS 9.3, go to the Third-Party Software Downloads site at http://support.sas.com/resources/thirdpartysupport/v93/index.html and search for the product name of your Web application server.

Pre-installation Checklist for Ports (SAS) lists a port range for each SAS server (or spawner). When assigning default ports, the deployment wizard looks for the next available port in the range. Typically, on all operating systems, the last digit of the default port number reflects the configuration level that you select in the SAS Deployment Wizard. For example, when you select Lev1, the default port for the metadata server is 8561. If you choose another level, such as Lev2, the wizard changes the default port to 8562.

In some rare situations, some ports might end with a different digit. This is because the default port is already in use.

On UNIX and z/OS, we recommend that you document each SAS port that you reserve in the following standard locations on each machine: This practice will help avoid port conflicts on the affected machines.

On z/OS, the SAS servers are configured and initially started as TSO processes invoked from the USS shell using /bin/tso. When these servers are started under TSO, the job name consists of the user ID that is starting the server, with a character appended to the end. If your site makes use of the reserved ports facility in TCP/IP, each port definition should include the started task and this SAS installer ID job name as valid users of this port. You can use an asterisk (such as sas*) in this definition.

The following checklist indicates what ports are used for SAS by default, and gives you a place to enter the port numbers that you will actually use.