Administering Multicast Options

Configuring Multicast Security

The multicast group communication includes all information needed to bootstrap SAS middle-tier applications. Because this includes sending the SAS environment credentials (such as the sasadm account name and its password), scoping and encryption options are provided in the SAS Deployment Wizard. The defaults are most appropriate for deployments in the firewall, isolated data center environment. After installation, if you choose to modify the scoping or encryption options, you can do so by specifying the options for the -Dmulticast.security parameter for your Web application server.

Authentication Token for Multicast Security

The multicast protocol is protected with encryption by default because it conveys credentials. By default, group communication is protected only with a fixed encryption key that is built into the software. If your middle tier is not running in an environment that is well isolated from end-user access, then you might want better protection against eavesdroppers and unauthorized group participants. For such situations, choose a multicast authentication token known only to your SAS middle-tier administrative staff.

The authentication token is a password-like string needed to connect to the group and create a site-specific encryption key. The SAS Deployment Wizard simplifies configuration by using the authentication token that is built into the software. This option is best used in development and other low-security environments. It might also be appropriate in higher-security environments where the multicast group communication is isolated from the user community either via firewall or TTL option, and where all data center administrative and operations staff have sufficient security approval.

If your multicast group communication is not contained within an isolated data center environment, or if the security procedures at your site require protection among administrative and operational staff in various roles, use an authentication token that is known only to the administrators of the SAS environment.

By default, there is a code level authentication token shared between all SAS middle-tier applications to prevent access to the multicast group from unauthorized listeners. If you choose to use a customized authentication token, use an authentication token value that meets your organization's security guidelines. The authentication token can be any password-like string. In a multi-tier configuration, the SAS Deployment Wizard displays this prompt for each tier that has an application participating in the SAS multicast groups. The same authentication token string must be specified for each tier in the same SAS deployment (each tier associated with the same metadata server).

Specify the authentication token as a command-line option for your Web application server:

-DMULTICAST_AUTHENTICATION_TOKEN=token

For information about how to set command line options, see your Instructions.html file. The -Dmulticast options are specified in the RemoteServices.bat file or the RemoteServices.sh file.

By default, clients who want to join a multicast group to receive messages are required to provide an authentication token for the join request. If you determine this process is causing an impact on performance, or that it is unnecessary, you can manually turn off the use of authentication tokens. If you specify NONE as an option, encryption and authentication are disabled. If you specify ENCRYPT, encryption is enabled with no authentication of the join request.

Top of Page