Configuring a Multicast Authentication Token

Understanding the Multicast Authentication Token

By default, the multicast communication is protected with encryption because it conveys credentials. This default setting for encryption uses a fixed encryption key that is built into the software and is common to all SAS middle-tier software. This strategy prevents access to the multicast communication from unauthorized listeners. This setting might be sufficient for deployments where multicast communication is isolated from the user community with a firewall, a TTL option, or the deployment is in an isolated data center.
If your middle tier meets any of the following criteria, then you might want to set a multicast authentication token value:
  • the middle-tier environment is not well isolated from end-user access
  • the security procedures at your site require protection among administrative and operational staff in various roles
  • you want more protection against eavesdroppers and unauthorized participants
For these deployments, set a multicast authentication token value that is known only to the appropriate personnel. A multicast authentication token is a password-like string that is needed to connect to the multicast group and create a site-specific encryption key. In a multi-tier configuration, the SAS Deployment Wizard displays a prompt for a multicast authentication token on each tier that has an application participating in multicast communication. The same authentication token value must be specified for each tier in the same SAS deployment (each tier associated with the same metadata server).
The multicast authentication token has an interaction with the multicast.security property. By default, clients that want to join a multicast group to receive messages are required to provide an authentication token for the join request. (This is true whether a custom token value is used or if the default token value that is built into the software is used.) If you determine this process is causing an impact on performance, or that it is unnecessary, you can disable the use of authentication tokens. If you set the multicast.security property to NONE, encryption and authentication are disabled. If you set the property to ENCRYPT, then encryption is enabled with no authentication of the join request.

Reconfiguring to Use a Multicast Authentication Token

Generate a Token and Set the Token for SAS Remote Services

  1. Use SAS and the PWENCODE procedure to generate an encoded password to use as the multicast authentication token. For example, {SAS002}DA9A0A5C20629B7F34D2C88A165E5530.
  2. Edit the SAS-config-dir\Lev1\Web\Applications\RemoteServices\RemoteServices.bat file to add a -DMULTICAST_AUTHENTICATION_TOKEN JVM option.
    For Windows, add the option in the runasScripts section:
    :runasScripts
    set MULTICAST_AUTHENTICATION_TOKEN=token
    For UNIX and z/OS, add the option to the RemoteServices.sh file after the SERVERUSER variable:
    SERVERUSER=sas
    
    MULTICAST_AUTHENTICATION_TOKEN="token"
    export MULTICAST_AUTHENTICATION_TOKEN
  3. For Windows, also add the JVM option to the wrapper.conf file. Add it to the end of the wrapper.java.additional.11 entry:
    wrapper.java.additional.11=-XX:+UseTLAB -XX:+UseConcMarkSweepGC 
    -XX:+DisableExplicitGC -Dsun.rmi.dgc.client.gcInterval=3600000 
    -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Xss256k 
    -XX:NewSize=16m -XX:MaxNewSize=16m -XX:PermSize=64m -XX:MaxPermSize=64m 
    -DMULTICAST_AUTHENTICATION_TOKEN=token
    Note: Do not use carriage returns or line feed characters when editing long lines.
  4. Restart SAS Remote Services.

Setting the Token for JBoss Application Server

  1. For deployments on Windows, edit the JBOSS_HOME\server\SASServer1\wrapper.conf Add a wrapper.java.additional.nn entry that is similar to the following:
    wrapper.java.additional.36=-Dcom.sas.log.config.url=file:///C:/SAS/Config/...
    wrapper.java.additional.37=-DMULTICAST_AUTHENTICATION_TOKEN=token
  2. Edit the JBOSS_HOME\bin\SASServer1.bat file. Add the JVM option to the JAVA_OPTS variable:
    set JAVA_OPTS=-DMULTICAST_AUTHENTICATION_TOKEN=token
    -Xms256m -Xmx512 ...
  3. Restart the Web application server.

Setting the Token for WebLogic Server

  1. Edit the SAS-config-dir\Lev1\Web\SASDomain\bin\setDomainEnv.cmd file. Add the JVM option to the USER_MEM_ARGS variable for SASServer1:
    if "%SERVER_NAME%" == "SASServer1" (
       set USER_MEM_ARGS=-DMULTICAST_AUTHENTICATION_TOKEN=token
     -Dsas.server.name=Server
  2. Use the WebLogic Server administration console to access the Server Start tab for SASServer1.
  3. Add -DMULTICAST_AUTHENTICATION_TOKEN=token to the Arguments field.
  4. Restart the Web application server.

Setting the Token for WebSphere Application Server

  1. Use the Integrated Solutions Console to access the Java Virtual Machine for the application server.
  2. Add -DMULTICAST_AUTHENTICATION_TOKEN=token to the Generic JVM arguments field.
  3. Restart the Web application server.

Setting the Token for the Report Output Generation Tool

  1. Edit the SAS-install-dir\SASBIReportServices\4.31\outputgen.ini file.
  2. Add a JavaArgs_nn entry that is similar to the following:
    JavaArgs_13=-Dsas.app.launch.picklist=picklist;"help\primary.picklist"
    JavaArgs_14=-DMULTICAST_AUTHENTICATION_TOKEN=token
    Classpath=-cp "<VJRHOME>/eclipse/plugins/sas.launcher.jar"