Trusted Peer Connections

Trusted Peer

Summary	The metadata server accepts peer SAS sessions and servers that connect using a proprietary protocol (trusting that those connecting identities have already been properly authenticated).
Scope	From any SAS session or SAS IOM server process to the metadata server. The scope is configurable.
Benefits	Enables a SAS/CONNECT server to access the metadata server. Facilitates connections to the metadata server during batch processing. Note: In a Windows environment, it is safer to instead use Integrated Windows authentication to support connections back to the metadata server during batch processing.
Limits	It is important to minimize availability of this feature.
Use	Optional. If you use your operating system scheduler to run metadata backup jobs, make sure that trusted peer connections from the host account that runs those jobs are allowed.

If the metadata server's start command includes the TRUSTSASPEER= option, the referenced trustedPeers.xml file specifies which user IDs and machines are eligible to connect to the metadata server using the trusted peer protocol.

By default, all user IDs and machines are eligible. The initial contents of the trustedPeers.xml file are as follows:

<TrustedSASPeers>

     <TrustedSASPeerClients>
          <client name="SAS" />
     </TrustedSASPeerClients>

     <TrustedSASPeerUsers>
          <user name="*" />
     </TrustedSASPeerUsers>


     <TrustedSASPeerMachines>
          <machine ip="*" />
     </TrustedSASPeerMachines>

</TrustedSASPeers>

For greater security, we recommend that you target this mechanism so the metadata server does not accept every connection that uses the proprietary protocol. You can use either or both of these constraints:

accept only specified user IDs
accept only connections that originate from specified machines

You can define constraints in trustedPeers.xml as follows:

TrustedSASPeerClients

lists eligible client types. SAS and java are the valid values. It is recommended that you reject connections from Java clients.

Typically, there is only one entry between the TrustedSASPeerClients tags:

<client name="SAS"/>

TrustedSASPeerUsers

lists eligible user IDs. To represent all users, use an asterisk (*). To represent all users in a Windows domain, use the format *@domain. For Windows accounts, provide domain-qualified (or machine-qualified) IDs. For example, you might insert these three entries between the TrustedSASPeerUsers tags:

<user name="*@winXP"/>
<user name="tara"/>
<user name="batchjobID"/>

TrustedSASPeerMachines

lists eligible points of origin. Identify machines by IP address. You can use asterisks (*) as wildcards. For example, you might insert these three entries between the TrustedSASPeerMachines tags:

<machine ip="1.2.3.4"/>
<machine ip="A:B:C:D:E:F:1.2.3.4"/>
<machine ip="*.*.8.9"/>

Note: Only connections that meet all specified criteria are accepted. If any of the sections are empty, no trusted peer connections are allowed.

Note: An additional constraint, TrustedSASDomains, is supported for backwards compatibility but will be deprecated in a future release.

Note: The trustedPeers.xml file is in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/.