Previous Page | Next Page

Authentication Tasks

How to Reduce Exposure of the SASTRUST Password

Note:   This is not a universally necessary task. This is an optional configuration that can reduce the exposure of a privileged service account. Consider using these instructions if the standard protections (host protection of configuration files and encryption of the sastrust password in those files) is not sufficient for your environment. On hosts other than Windows, these instructions might not provide a clear security benefit.  [cautionend]

In the standard configuration, the OLAP server and the object spawner read the sastrust ID and password from their configuration files during initialization. These components use the sastrust credentials to connect to the metadata server and read the metadata that they use to perform their tasks. For example:

The primary reason to remove the sastrust credential from configuration files is to enhance security in a Windows environment. For sites that don't use Integrated Windows authentication, removing the sastrust credentials makes sense only if you prefer the exposure of using the trusted peer protocol to the exposure of storing the credentials in two host-protected files.

Note:   Another reason might be to avoid having to update the sastrust password in the configuration file. However, maintenance isn't usually a concern because sastrust is usually an internal account with a password that doesn't expire.  [cautionend]

To remove the sastrust credentials from configuration files:

  1. Locate the sasv9_meta.cfg file that is in your equivalent of SAS/Config/Lev1/. Make a backup copy of the file. In the original file, delete your version of these lines:

    -metauser "sastrust@saspw"
    -metapass "{sas002}3CD4EA1E35CA49324AOC4D63"

  2. Locate the file metadataConfig.xml file that is in your equivalent of SAS/Config/Lev1/ObjectSpawner. Make a backup copy of the file. In the original file, delete your version of this entry:

    <Login Name="Metadata Login" UserId="sastrust@saspw" 
     Password="{sas002}3CD4EA1E35CA49324AOC4D63"/>

  3. Determine which account (or accounts) are used for the connections and, on Windows, what format you should use for the account ID in the following steps. For example:

    • On UNIX, the spawner and the OLAP server run under a designated account that is identified during installation.

    • On Windows, if these components run under the local system account, use the format system@machine-name (if you are using trusted peer) or machine-name$@Windows-domain (if you are using IWA). Otherwise, use the usual Windows qualified format (such as user-ID@Windows-domain).

  4. To enable the spawner and the OLAP server to read the same metadata that sastrust reads, add a login such as this to the SAS Trusted User's Accounts tab in SAS Management Console:

    DefaultAuth | connecting-account-ID | (no password)

    If the components use different accounts, add one login for each account. For example:

    DefaultAuth | myMachine$@myWinDomain | (no password)
    DefaultAuth | invoker                | (no password)

    You can ignore any messages about multiple logins within an authentication domain.

  5. To make the connecting accounts trusted users, add their account IDs to your equivalent of the SAS/Config/Lev1/SASMeta/MetadataServer/trustedUsers.txt file. Use the same format for the user ID that you used in step 3. For example, the updated contents might look like this:

    sastrust@saspw
    myMachine$@myWinDomain
    invoker

    Note:   The OLAP server uses its trusted user status to impersonate clients for metadata access control evaluations. The spawner uses its trusted user status to determine which servers each requesting user is permitted to use.  [cautionend]

  6. Restart the metadata server. Verify that the spawner and the OLAP server can still contact the metadata server. In the metadata server log, you should see a separate connection from each component. The connections will be either IWA (Integrated Windows authentication) or trusted peer.

    Note:   In most configurations, IWA happens if the metadata server and the connecting component are on Windows and trusted peer happens on other hosts. If you expect IWA but instead see trusted peer, make sure the metadata server has -sspi in its invocation command. If you expect trusted peer but the connection fails, make sure the metadata server has the trustsaspeer object server parameter specified.   [cautionend]

See Also

Integrated Windows Authentication

Trusted Peer Connections

Trusted User Connections

Passwords That Are Managed By the SAS Deployment Manager

Previous Page | Next Page | Top of Page