Configure Security

SAS Visual Process Orchestration Server helps authorize and authenticate users as needed throughout the process of creating, modifying, and executing orchestration jobs. Authorization and authentication services are provided by the SAS Web Application Server and the SAS Metadata Server, in coordination with network authentication providers. These services ensure that each orchestration job run request, and each node that is run in those jobs, has appropriate privilege.

Authentication first takes place when users open the SAS web client. The user’s credentials are validated by an authentication provider in the domain that is specified in the credentials, or in a default domain. The submitted credentials must match a login for that user that is stored on the SAS Metadata Server.

Authentication also takes place when a user submits a request to run an orchestration job. The requesting user is authenticated by the Runtime Server through the SAS Metadata Server.

Authorization takes place as needed during the creation, modification, and execution of orchestration jobs. The SAS Web Application Server validates the identity of the user of the SAS Web Client and authorizes access to orchestration jobs, data tables, component jobs, and component real-time services.

The default security configuration encrypts all credentials that are transmitted using the Integrated Object Model (TCP/IP). Also encrypted are any passwords that need to be stored on disk. The default encryption algorithm is SASPROPRIETARY.

You can enhance encryption and protect Runtime Server SOAP connections using SSL. To enhance encryption, you change configuration options to specify an encryption algorithm that has a private key length that is greater than SASPROPRIETARY. For the Design Server, you enhance encryption using the SAS/SECURE software, as described in the documents Encryption in SAS and SAS Intelligence Platform: Security Administration Guide. For the Runtime Server, you install SSL and use its encryption algorithm, as described in the DataFlux Secure Administrator’s Guide.

SAS/SECURE and DataFlux Secure are installed by default with SAS Visual Process Orchestration Server.

On the Runtime Server, you configure OpenSSL to match the configuration of your SAS web clients. You can use trusted certificates from commercial suppliers, or you can use digitally signed certificates that you generate locally.

As the final step in the process of configuring SSL for the Runtime Server, you update the server’s metadata definition on the SAS Metadata Server to indicate that SSL is enabled. This step is important because the Runtime Server retrieves the following option values from the SAS Metadata Server at start time.

To change the configuration options in the Runtime Server metadata definition, follow these steps:

For reference, your SSL configuration needs to include values for the following SSL-related configuration options in dmserver.cfg.

If your SSL key is password-protected, then you can encrypt a password as described here. You can then add the encrypted password as the value of the Runtime Server configuration option DMSERVER/SOAP/SSL/KEY_PASSWD (in dmserver.cfg).

To encrypt passwords in the Windows operating environment, run install-path\bin\EncryptPassword.exe. Enter the password, confirm your initial entry, and receive the encrypted password.

To encrypt passwords in the UNIX and Linux operating environments, enter the command dmsadmin crypt.