Initial Load-Balancing Stored Process Server Configuration and Security
After you run the
SAS Configuration Wizard to setup a stored process server,
the initial load-balancing SAS Stored Process Server configuration is set up with three MultiBridge connections so that the object spawner can start up to three stored process server processes. The object spawner will balance the workload across these processes.
The object spawner runs on the server host, listens for client requests,
and connects clients to the appropriate server process.
The SAS Metadata Server contains the spawner, server, and security metadata
for the load-balancing stored process server configuration.
The object spawner must connect to the SAS Metadata Server,
and the metadata must be appropriately configured to enable
the spawner to start the load-balancing stored process server
processes. The following diagram shows the initial security
setup and process flow for the load-balancing stored process
server and spawner configuration:
Note: On Windows, all user IDs would be machine or domain qualified (for example,
As shown in the previous diagram, the object spawner obtains the metadata information to start a load-balancing stored process server as follows:
When the spawner is started, it reads a metadata configuration file named
omrconfig.xml that contains information to access the SAS Metadata Server. This metadata configuration file specifies the following information:
- the location of the SAS Metadata Server
- the user ID that the spawner will use to connect to the metadata server
By default, the
omrconfig.xml file contains the user ID
which is owned by the SAS Trusted User.
The object spawner connects to the SAS Metadata Server using the user ID specified
omrconfig.xml. (By default, this is SAS Trusted User (for example,
sastrust)). The SAS Trusted User's credentials are authenticated against the SAS Metadata Server's authentication provider.
- On the SAS Metadata Server, the connection from the object spawner is associated with the user that owns the
sastrust user ID, SAS Trusted User. The spawner (as the SAS Trusted User) reads the metadata information for the server and spawner configuration.
Note: The SAS Trusted User's login credentials can view the server's multi-user login credentials (
sassrv) because the SAS Trusted User is a member of the
SAS General Server group and the SAS General Servers group owns the server's multi-user login credentials (
The object spawner then has the necessary metadata to launch a server.
The following diagram shows the flow for a client request and server launch.
The flow is as follows:
When a client requests a server, the client is authenticated against the host authentication provider for the server.
If the object spawner needs to launch a new stored process server, the object spawner uses the credentials of the server's multi-user login (
sassrv) to launch the load-balancing stored process server.
Note: Because the stored process server runs under the credentials for the multi-user stored process server, each client can only access information for which the multi-user credentials are authorized.
To summarize, in your initial load-balancing stored process server configuration, you must ensure that security is configured properly, as follows:
- On the SAS Metadata Server, ensure that the SAS Trusted User is a member of the SAS General Servers group
- In the metadata configuration file, omrconfig.xml, ensure that the SAS Trusted User's credentials are specified.
- On the SAS Metadata Server, ensure that the group login owned by the SAS General Servers group is specified in the stored process server definition (on the Credentials tab).
- Ensure that the user ID and password of the group login for the SAS General Servers group matches the account on the host authentication provider for the stored process server.
To improve performance, you can add a second load-balancing stored process server machine.
For details, see Overview of Load Balancing.