Overview of Security for Web Services

A default installation of SAS BI Web Services for Java is not highly secure. The default security mechanism is SAS authentication. All requests and responses are sent as clear text. If users want to authenticate as a specific user, then they can send a user name and password as clear text as part of the WS-Security headers. If you use a RESTful request that is supported in SAS 9.3, send the user name and password in a base64 encoded Authorization HTTP header. Authentication is performed by authenticating client credentials at the SAS Metadata Server. Whenever user names and passwords must be sent as clear text or base64 encoded, SSL should be enabled to provide transport layer security.

If you want to use SSL on the Web application server to secure the transmission of credentials with the Web services, and you also want to use the Deploy as Web Service Wizard in SAS Management Console, then you need to import the server certificate to SAS Management Console. To import the server certificate to SAS Management Console, follow these steps:

Create a Java keystore on the local machine and import the server certificate of the server that you want to communicate with. For more information about how to perform this step, see http://docs.oracle.com/javase/1.5.0/docs/tooldocs/windows/keytool.html.
Pass the keystore location and password into SAS Management Console using Java JVM arguments. The arguments that need to be set are:
```
javax.net.ssl.trustStore=
   "fully qualified path to keystore created with keytool from step 1"
javax.net.ssl.trustStorePassword=
   "trust store password"
```
To complete this step, add the following JavaArgs arguments to the sasmc.ini file, which is found at C:/Program Files/SAS/SASManagementConsole/9.3:
```
JavaArgs_14=-Djavax.net.ssl.trustStore =
   "fully qualified path to keystore created with keytool from step 1"
JavaArgs_15=-Djavax.net.ssl.trustStorePassword =
   "trust store password"
```

If you are using XMLA Web services or generated Web services, an anonymous user can be configured. The anonymous Web user is configured during SAS Deployment Wizard configuration. Anonymous users cannot use the Web Service Maker; credentials must always be provided to use the Web Service Maker. If you are using XMLA Web services, you can pass user credentials as XMLA properties in the payload.

SAS BI Web Services can also be secured by configuring the Web application server to perform Web authentication. This provides a way for SAS BI Web Services to identify the calling user with basic Web authentication that uses HTTP transport-level security.

Note: Web authentication can be used with both XMLA Web services and generated Web services. Web authentication cannot be used with the WebServiceMaker Web service when SAS Management clients are involved because these clients authenticate by using one-time passwords.