Previous Page | Next Page

Encryption Tasks

How to Increase Encryption Strength for Outbound Passwords in Transit

About Outbound Passwords and Over-the-Wire Encryption

Upgrade to RETURNPASSWORDS=SAS003

RETURNPASSWORDS=SAS003 and Compatibility

Accommodating Connections That Can't Use SAS003 Passwords


About Outbound Passwords and Over-the-Wire Encryption

A password is outbound when a client retrieves the password from the metadata in order to provide seamless access to a server such as Oracle. The password is outbound from the perspective of the metadata server. Connections to third-party servers often use outbound passwords. Most other connections don't use outbound passwords.

In the initial configuration, outbound passwords are transmitted in SAS002 format (SASProprietary encryption). If you have licensed SAS/SECURE, you can choose to increase the encryption strength for outbound passwords to SAS003 (AES encryption).


Upgrade to RETURNPASSWORDS=SAS003

To increase encryption strength for outbound passwords (if you have SAS/SECURE):

  1. Edit the metadata server's omaconfig.xml file to change the initial setting, RETURNPASSWORDS="SAS002", to the more secure setting, RETURNPASSWORDS="SAS003". The metadata server's omaconfig.xml file is located in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/.

  2. Restart the metadata server.

  3. Verify that server connections continue to function as expected. If you encounter problems, either review the following topics or revert to RETURNPASSWORDS="SAS002".


RETURNPASSWORDS=SAS003 and Compatibility

Almost all connections are compatible with SAS003 passwords, because almost all connections involve a SAS server and SAS servers can decode SAS003 passwords. For example, connections from SAS Information Map Studio to an Oracle server go through a workspace server. The workspace server decodes the outbound Oracle password.

However, a few specialized connections run directly from a Java client or .NET client to a third-party server. These clients can't decode SAS003 passwords. This is a deliberate limitation that reduces security exposures. Of course, a third-party server can't decode SAS003 passwords either. As a result, such connections fail if they attempt to use a password that is in SAS003 format. Here are some specific types of connections that can't use a SAS003 password (the list isn't exhaustive):


Accommodating Connections That Can't Use SAS003 Passwords

If you have SAS/SECURE but your deployment requires connections that are incompatible with SAS003 passwords, choose either of the following approaches:

Previous Page | Next Page | Top of Page