-
In the host layer, create directories and a configuration
file:
-
In your equivalent
of
SAS-configuration-directory\SASApp
,
create a directory called
RestrictedPool
and
a subdirectory (below
RestrictedPool
)
called
logs
.
-
In the
RestrictedPool
directory,
create a configuration file to be used when the restricted workspace
server is started.
-
On Windows, create a file named
sasv9.cfg with the following content:
-config "SAS-configuration-directory\SASApp\sasv9.cfg"
-
On UNIX, create a file named workspaceServer.cfg
with the following content:
-config !SASROOT/sasv9.cfg
-config sasv9.cfg
-
Decide how the restricted
workspace server will connect to the metadata server. Choose one of
the following approaches:
-
Use trusted peer connections,
which the metadata server accepts without requiring credentials. In
the initial configuration, the metadata server accepts trusted peer
connections from all user IDs and machines, so no special configuration
is required.
See the Trusted Peer Connections in SAS Intelligence Platform: Security Administration Guide.
Note: In this approach, the restricted
server’s processes that are initiated from SAS Web Report Studio
run under the
rpoolsrv identity,
and the restricted server’s processes that are initiated from
a desktop application run under the requesting users’s identity.
The
Restricted Puddle Login Group and
any allowed individual desktop users must have access to any external
DBMS credentials.
-
Use credential-based
connections, where the workspace server provides a user ID and password
that are stored in its configuration file. In this approach, you add
the METAUSER and METAPASS options to the configuration file that you
created in step 1b. For example:
-metauser "rpoolsrv"
-metapass "encrypted-rpoolsrv-password"
CAUTION:
With this
approach, it is essential to provide host protection of the configuration
file for the restricted workspace server (because it contains privileged
credentials).
Tip
On Windows, qualify the user
ID (for example,
WIN\rpoolsrv).
Tip
Encrypt the password using
the PWENCODE procedure.
See PWENCODE Procedure in Encryption in SAS.
Tip
If you change the
rpoolsrv account
password, you must also manually update the password in this configuration
file.
Note: In this approach, all of
the restricted server’s processes are launched under the
rpoolsrv identity.
Only the
Restricted Puddle Login Group needs
access to any DBMS credentials.
-
In the metadata, define the restricted server.
-
On the
Plug-ins tab
of SAS Management Console, right-click
Server Manager
and
select
New Server.
-
In the
New
Server wizard, select
Resource
TemplatesServersSAS
Application Server.
Note: The restricted workspace server must be in its own dedicated
SAS Application Server.
-
Enter the name
RestrictedPool
.
-
Accept the default version
and vendor information.
-
-
Select the
Custom radio
button.
-
Enter a value in the
Command box
as follows:
For a workspace server on Windows:
sas -config "SAS-configuration-directory\SASApp\RestrictedPool\sasv9.cfg"
For a workspace server on UNIX:
SAS-configuration-directory/SASApp/sas.sh
-config RestrictedPool/workspaceServer.cfg
-
Specify the following
values:
Authentication domain
Select the authentication domain of your
existing, general-purpose workspace server. Usually, this is DefaultAuth
.
Bridge port
Change the default
value (8591) to an unassigned port value (such as 9591).
-
-
Tell the object spawner about the restricted server.
-
Under
Server
Manager, right-click the object spawner, and select
Properties.
-
On the
Servers tab,
move
RestrictedPool - Workspace Server to
the
Selected servers list. Click
OK.
-
Restart the object spawner.
-
Test the connection to the restricted server.
-
Under
Server
Manager, expand the
RestrictedPool application
server and the
RestrictedPool - Logical Workspace Server.
Select the
RestrictedPool - Workspace Server.
-
In the right pane, right-click
the connection icon and select
Test Connection.
Note: If you are logged on with
an internal account (an account that has the
@saspw suffix),
you are prompted for credentials. Enter the credentials for a user
that has an external account, an individual metadata identity, and
(on Windows) the
Log on as a batch job Windows
privilege.
Tip
If the connection fails, select
FileClear Credentials Cache from the main menu and try again. You can also check
the log files for the object spawner and the workspace server and
make sure the contents of the configuration file in the
RestrictedPool
directory
are correct.
-
Configure
the restricted server to support client-side pooling.
-
Right-click the
RestrictedPool
- Logical Workspace Server and select
Convert ToPooling. In the message box, click
Yes.
-
In the
Pooling
Options dialog box, click
New.
-
In the
New Puddle dialog box,
provide values as follows:
|
|
|
|
Minimum
available servers
|
|
Minimum
number of servers
|
|
|
|
|
Restricted
Puddle Access Group
|
-
Click
OK in
the
Pooling Options dialog box.