A default
installation of SAS BI Web Services for Java is not highly secure.
The default security mechanism is SAS authentication. All requests
and responses are sent as clear text. If users want to authenticate
as a specific user, then they can send a user name and password as
clear text as part of the WS-Security headers. If you use a RESTful
request that is supported in SAS 9.3, send the user name and password
in a base64 encoded Authorization HTTP header. Authentication is performed
by authenticating client credentials at the SAS Metadata Server. Whenever
user names and passwords must be sent as clear text or base64 encoded,
SSL should be enabled to provide transport layer security.
If you want to use SSL on the Web application server
to secure the transmission of credentials with the Web services, and
you also want to use the
Deploy as Web Service Wizard
in SAS Management Console, then you need to import the server certificate
to SAS Management Console. To import the server certificate to SAS
Management Console, follow these steps:
-
-
Pass the keystore location
and password into SAS Management Console using Java JVM arguments.
The arguments that need to be set are:
javax.net.ssl.trustStore=
"fully qualified path to keystore created with keytool from step 1"
javax.net.ssl.trustStorePassword=
"trust store password"
To complete this step,
add the following JavaArgs arguments to the sasmc.ini file, which
is found at
C:/Program Files/SAS/SASManagementConsole/9.3
:
JavaArgs_14=-Djavax.net.ssl.trustStore =
"fully qualified path to keystore created with keytool from step 1"
JavaArgs_15=-Djavax.net.ssl.trustStorePassword =
"trust store password"
If you are using XMLA Web services or generated Web
services, an anonymous user can be configured. The anonymous Web user
is configured during SAS Deployment Wizard configuration. Anonymous
users cannot use the Web Service Maker; credentials must always be
provided to use the Web Service Maker. If you are using XMLA Web services,
you can pass user credentials as XMLA properties in the payload.
SAS BI Web Services can also
be secured by configuring the Web application server to perform Web
authentication. This provides a way for SAS BI Web Services to identify
the calling user with basic Web authentication that uses HTTP transport-level
security.
Note: Web authentication
can be used with both XMLA Web services and generated Web services.
Web authentication cannot be used with the WebServiceMaker Web service
when SAS Management clients are involved because these clients authenticate
by using one-time passwords.