Trusted Peer
|
The metadata server
accepts peer SAS sessions and servers that connect using a proprietary
protocol (trusting that those connecting identities have already been
properly authenticated).
|
|
From any SAS session
or SAS IOM server process to the metadata server. The scope is configurable.
|
|
Enables a SAS/CONNECT
server to access the metadata server. Facilitates connections to the
metadata server during batch processing.
Note: In a Windows environment,
it is safer to instead use Integrated Windows authentication to support
connections back to the metadata server during batch processing.
|
|
It is important to minimize
availability of this feature.
|
|
Optional. If you use
your operating system scheduler to run metadata backup jobs, make
sure that trusted peer connections from the host account that runs
those jobs are allowed.
|
If the metadata server's start command includes the TRUSTSASPEER=
option, the referenced trustedPeers.xml file specifies which user
IDs and machines are eligible to connect to the metadata server using
the trusted peer protocol.
By default, all user
IDs and machines are eligible. The initial contents of the trustedPeers.xml
file are as follows:
<TrustedSASPeers>
<TrustedSASPeerClients>
<client name="SAS" />
</TrustedSASPeerClients>
<TrustedSASPeerUsers>
<user name="*" />
</TrustedSASPeerUsers>
<TrustedSASPeerMachines>
<machine ip="*" />
</TrustedSASPeerMachines>
</TrustedSASPeers>
For greater security,
we recommend that you target this mechanism so the metadata server
does not accept every connection that uses the proprietary protocol.
You can use either or both of these constraints:
-
accept only specified user IDs
-
accept only connections that originate
from specified machines
You can define constraints
in trustedPeers.xml as follows:
lists eligible client
types. SAS
and java
are
the valid values. It is recommended that you reject connections from
Java clients.
Typically, there is
only one entry between the
TrustedSASPeerClients
tags:
<client name="SAS"/>
lists eligible user
IDs. To represent all users, use an asterisk (*). To represent all
users in a Windows domain, use the format *@domain. For Windows accounts,
provide domain-qualified (or machine-qualified) IDs. For example,
you might insert these three entries between the
TrustedSASPeerUsers
tags:
<user name="*@winXP"/>
<user name="tara"/>
<user name="batchjobID"/>
lists eligible points
of origin. Identify machines by IP address. You can use asterisks
(*) as wildcards. For example, you might insert these three entries
between the
TrustedSASPeerMachines
tags:
<machine ip="1.2.3.4"/>
<machine ip="A:B:C:D:E:F:1.2.3.4"/>
<machine ip="*.*.8.9"/>
Note: Only connections that meet
all specified criteria are accepted. If any of the sections are empty,
no trusted peer connections are allowed.
Note: An additional constraint,
TrustedSASDomains, is supported for backwards compatibility but will
be deprecated in a future release.
Note: The trustedPeers.xml file
is in your equivalent of
SAS/Config/Lev1/SASMeta/MetadataServer/
.