Configuration File Options

This section describes all the options that you can specify in the tunnel feature's configuration file and provides some general guidelines for specifying the options.

Configuration File Guidelines

When you modify the shrcgi.cfg file, follow these guidelines:
  • For each SASHOST, first specify the SASHOST identifier (which can include wildcards). Next, specify the options that apply to that host. If an option applies to more than one SASHOST but not all SASHOSTs, you must repeat the option for each host. If you want an option to apply to all SASHOSTs, make it a global option by placing it before the first SASHOST line.
  • The options SASPORT, RESPONSE_x, CLIENTHOST, and USERNAME have ALLOW and DISALLOW lists. The ALLOW lists and DISALLOW lists have similar functions: they both control which machines and users are able to connect to the remote SAS sessions. Use one or the other depending on which requires a shorter list.
    The DISALLOW list takes precedence over the ALLOW list. When the tunnel feature's server programs receive a request from the applet, they check the DISALLOW list first. If the request matches any values in the DISALLOW list, the request is rejected. The ALLOW list is checked only if the DISALLOW list is not present or if the request did not match any values specified in the DISALLOW list. If an ALLOW list is present, the request must match an option in the ALLOW list. Otherwise, the request is rejected.
  • You can use the asterisk (*) wildcard when specifying values in ALLOW or DISALLOW lists. For example, C*AT matches CAT, CHAT, and CRAVAT.
  • You can use aliases in the configuration file to mask the actual SAS command that is being used to invoke the remote SAS session. By masking the SAS command, the tunnel feature avoids exposing any specific information about the configuration of your system.
  • You can specify only one set of options for each host. If you specify a second set of options for a host, the second set is ignored. For example, if you specify options for the host identifier TEST*, and then you specify options for TEST2, the tunnel feature ignores the options that are specified for TEST2. When it receives a request that includes TEST2, the tunnel feature checks the request against the options specified for TEST*.
  • If a configuration file entry accepts multiple values, delimit the values with commas only.
  • Leading spaces are ignored.
  • Line continuation is not supported. You can use lines up to 256 characters.
  • To enter a comment, enter a pound sign (#) as the first character on each line of the comment. The Message Router ignores lines that begin with the pound sign.

Configuration File Example

The following configuration options apply to two hosts: TESTER and WIZARD:
SASHOST=TESTER
ALLOW_USERNAME=XYZ,A*,QRS
DISALLOW_USERNAME=ABC

SASHOST=WIZARD
ALLOW_RESPONSE_3=sas,sas -dms
The USERNAME specifications apply only to the TESTER host, and the SASCOMMAND specification applies only to the WIZARD host. Only users with the IDs XYZ, QRS, and those starting with A (except ABC) can connect to the host machine TESTER. On WIZARD, the only SAS commands allowed are the two commands shown in the ALLOW list (assuming that RESPONSE_3 is defined as the response to the command prompt).

Configuration Options

Options for SAS/SHARE Servers and SAS/CONNECT Servers

The following options can be defined in the tunnel feature's configuration file, and apply to both SAS/SHARE and SAS/CONNECT software:
SASHOST=hostname
Identifies the host (node) name or remote IP addresses of the machines on which your SAS/SHARE server is running or on which you want to start your SAS/CONNECT session. SASHOST specifies a single entry; it is not a comma-delimited list. For each SASHOST, first specify the SASHOST identifier (which can include wildcards). Next, specify the options that apply to that host. Users cannot connect to hosts that are not included in the configuration file. To remove any restrictions on the hosts, use a wildcard to specify all hosts, SASHOST=*.
Note: The tunnel feature looks for an exact match, so if you specify a node name, but the request that the tunnel feature receives uses the IP address for the same node, the tunnel feature does not recognize that the node name and IP address are for the same node.
ALLOW_SASPORT=port1,port2...
DISALLOW_SASPORT=port1,port2..
Lists the ports that can or cannot be used to establish a connection. For SAS/CONNECT software, specify the ports on which the Telnet daemon or spawner receives requests. For SAS/SHARE software, list the public ports that the SAS/SHARE server is listening to.
LOG=log_file_name
Identifies a log file that can be used for debugging tunneling problems.
Note: Information is added to this log file every time the tunneling feature is used, potentially creating an extremely large file. Consider periodically deleting the contents of the file, or remove this option setting from the configuration file after your tunneling problems have been resolved.
ALLOW_RESPONSE_x=response1, response2...
DISALLOW_RESPONSE_x=response1, response2...
Lists the allowed or disallowed Telnet (or spawner) responses, where x is a number from 1 to 5. (The aliases $USERNAME and $PASSWORD are always allowed, provided you have defined them. See alias.)
ALLOW_CLIENTHOST=node1,node2...
DISALLOW_CLIENTHOST=node1,node2...
Lists the node names or remote IP addresses of the machines that can or cannot connect to a SAS/SHARE server or start a SAS/CONNECT session. The tunnel feature looks for an exact match, so if you specify a node name but the request that the tunnel feature receives uses the IP address for the same node, the tunnel feature does not recognize that the node name and IP address are for the same node. Also, remember that the apparent requester might be a proxy executing the HTTP request on behalf of another machine.
TIMEOUT=nnn
Specifies the amount of time (in minutes) that the tunnel feature should wait for activity before closing the connection between the Protocol Interpreter and the SAS/SHARE server or SAS/CONNECT session. The default time-out is 30 minutes. After the time-out expires, the tunnel feature closes the Protocol Interpreter and the session ends.
WAIT=nnn
Specifies the amount of time (in seconds) that the tunnel feature should wait when connecting to a SAS/SHARE server or SAS/CONNECT session. The default time is 60 seconds.
alias=response-to-substitute
Specifies a response to substitute for the alias. Aliases are case-insensitive, and the first character must be a dollar sign ($). For example, define the following alias: 
mycommand=sas -dmr
You could then refer to the command using its alias, as follows: 
ALLOW_RESPONSE=$mycommand

Options for SAS/SHARE Servers Only

The following option can be defined in the tunnel feature's configuration file and applies to SAS/SHARE only:
HELLO=nnn
Specifies the amount of time (in seconds) that the tunnel feature waits for SAS/SHARE initialization processing, which occurs immediately after the connection to the SAS/SHARE server is established. The default time is 45 seconds.

Options for SAS/CONNECT Servers Only

The following option can be defined in the tunnel feature's configuration file and applies to SAS/CONNECT only:
ALLOW_USERNAME=user1,user2...
DISALLOW_USERNAME=user1,user2...
Lists the user names that can or cannot be used to log in to the remote SAS session.
Copyright © SAS Institute Inc. All rights reserved.