SAS 9.1.3 Integration Technologies » Server Administrator's Guide


Implementing Authentication
Host Authentication
Setting the System Permissions on:
Windows NT
Windows 2000
Windows XP
UNIX
Specifying Default Host Domains
How Hosts Handle Domains
Trusted Authentication Mechanisms
Alternative Authentication Providers
Specifying Authentication Providers and Domains
How Servers Determine the Authentication Provider
Scenario
Security

Implementing Trusted Authentication Mechanisms

For multi-tier server environments where user IDs are already authenticated by a server or Web server's authentication mechanism and then must assert those identities on the metadata server, the authorization facility supports two types of trusted connections: trusted user connections and trusted peer session connections. User IDs that are used to connect to servers via the trusted user or trusted peer session mechanisms do not need to have an account on the authentication provider for the SAS Metadata Server's machine.

Trusted User Connections

The trusted user mechanism enables already authenticated users (from middle-tier servers, or peer servers that run on the server tier) to connect to a SAS Metadata Server as trusted user connections. You must set up the appropriate authentication provider (host, LDAP, or Active Directory) for the trusted user; other users that connect via the trusted user do not require an account on the SAS Metadata Server's authentication provider as the SAS Metadata Server trusts that they have been authenticated at the server.

After you set up a trusted user in the trustedUser.txt file and on the appropriate authentication provider, the trusted user generates user passwords for users that have already been authenticated by a middle-tier server or a peer server that runs on the server tier. From the viewpoint of the authorization facility, the trusted user represents an already authenticated connection to the SAS Metadata Server that can act on behalf of other users. If a user has already been authenticated on a middle-tier server, when they try to connect to the SAS Metadata Server, the trusted user can generate a password in order to allow them to connect.

For information about setting up a trusted user for the SAS Metadata Server, see Overview of Initial Users and Groups in the SAS Intelligence Platform: System Administration Guide.

Trusted Peer Session Connections

A trusted peer session connection enables a SAS process to establish a connection to a SAS Metadata Server without explicitly specifying the user ID and password to use for the connection. This feature enables the following:
  • peer sessions can connect to the SAS Metadata Server without a password by using a user ID provided by the operating system
  • applications that run jobs on SAS Stored Process Servers or SAS Workspace Servers can generate code without credentials
  • batch jobs can run without explicit credentials.

For a SAS Metadata Server, you can allow a SAS Workspace Server or SAS Stored Process Server to connect to the metadata server as a trusted peer session.

The trusted peer connection works as follows:

  1. The SAS Metadata Server is started with the trustsaspeer option. The trustsaspeer option specifies either

    • a file that contains a list of trusted domains for peer servers (or sessions) that run on the server tier and connect from environments other than Windows.

      Note: If your SAS Metadata Server is authenticating clients against an alternative authentication provider, you must specify a file that contains the trusted domains for the peer servers (or sessions) that run on the server tier and connect from an environment other than Windows.

    • a blank or non-existent file.

  2. A peer, server (on either the middle tier or the server tier), or session uses a proprietary protocol to make a connection to the SAS Metadata Server.

  3. If the SAS Metadata Server receives a connection with this proprietary protocol, it accepts the following:

    • non-domain qualified user IDs from hosts other than Windows.

    • domain-qualified user IDs from hosts other than Windows whose domains are specified in a trusted peer file (for example, trustedpeer.xml) file.

    • user IDs from peer servers (or sessions) that run on the server tier and connect from Windows.

Important Note: Use of this proprietary protocol implies that the SAS Metadata Server trusts the authentication mechanism of the connecting server. You must implement the appropriate security for your network to prevent untrusted machines and untrusted authentication that could compromise the SAS Metadata Server.

Setting up Trusted Peer Connections for SAS Sessions

You can set up trusted peer sessions for peer servers (or sessions) that run on the server tier, on Windows and other systems. The following table shows the server (or session) environment from which you wish to connect, whether you use the AUTHPROVIDERDOMAIN (AUTHPD) option or AUTHSERVER option on the SAS Metadata Server startup command, how to specify the trusted peer option on the SAS Metadata Server startup command, and who can connect as a trusted peer connection when using the specified setup:

Trusted Peer Session Connection Setup(s)
Connecting Environment for Trusted Peer Session Is AUTHPD (or AUTHSERVER) Option Used on SAS Metadata Server Startup Command? Trusted Peer Option To Use With SAS Metadata Server Startup Command Who Can Connect
Windows peer servers (or sessions) that run on the server tier Either YES or NO
trustsaspeer=
blankornonexist.xml
where blankornoexist.xml is a non-existent or empty trusted peer file

Peer SAS sessions from SAS Stored Process Servers, SAS Workspace Servers, or SAS batch sessions running on Windows.

Peer SAS sessions from SAS Stored Process Servers, SAS Workspace Servers, or SAS batch sessions running on environments other than Windows if they DO NOT specify a domain with their user ID.

peer servers (or sessions) that run on the server tier, on environments other than Windows NO
trustsaspeer=
blankornonexist.xml
where blankornoexist.xml is a non-existent or empty trusted peer file
Peer SAS sessions from SAS Stored Process Servers, SAS Workspace Servers, or SAS batch session that DO NOT specify a domain with their user ID
peer servers (or sessions) that run on the server tier, on environments other than Windows YES
trustsaspeer=
c:\config\trustedpeer.xml
where trustedpeer.xml is a trusted peer file that contains the trusted domains. To create a trusted peer file, see Setting up a Trusted Peer File.
Peer SAS sessions from SAS Stored Process Servers, SAS Workspace Servers, or SAS batch sessions running on environments other than Windows if any of the following are true:
  • the domain is specified in the credentials and is in the trusted peer file.
  • a domain is not specified in the credentials and the domain specified by the AUTHPROVIDERDOMAIN (or AUTHSERVER) option is in the trusted peer file.

Note: If the peer SAS session specifies a domain in its connection request (or has a domain associated to it by the AUTHPROVIDERDOMAIN (or AUTHSERVER) option), to allow that peer to connect, you must create a trusted peer file and include that domain as a trusted domain.

To understand the AUTHPROVIDERDOMAIN (or AUTHSERVER) option, if you are using host authentication, see Specifying Default Host Domains When Starting Servers That Only Use Host Authentication. If you are using alternate authentication, see Specifying Authentication Provider and Default Domains When Starting Servers.

Setting up a Trusted Peer File

To set up a trusted peer file, create a file (for example, trustedpeer.xml) that contains a list of the trusted domains. For example:

<?xml version="1.0"?>
<!-- Specify which Windows Domain >
<!-- suffixes we will allow>
<TrustedSASDomains>
<!-- Allow the domain "Domain0" when >
<!-- peer SAS Session is executing on UNIX host>
<unix>Domain0</unix>
<!-- Allow the domains "Domain1" and "Domain2" when >
<!-- peer SAS Session is executing on z/OS host>
<os390>Domain1</os390>
<os390>Domain2</os390>
<!-- Allow the domain "Domain3" when >
<!-- peer SAS Session is executing on AlphaVMS host>
<vms>Domain3</vms>
</TrustedSASDomains>

Note: The trusted peer file is only required when the AUTHPROVIDERDOMAIN (or AUTHSERVER) option is specified upon startup of the SAS Metadata Server.

Example

The following is an example of a Windows SAS Metadata Server start command that specifies trusted peer support which enables peer Windows servers (or sessions) that run on the server tier to connect as trusted peers:

"where_your_sas_is_installed\sas.exe"
-log "C:\sasoma\logs\sasoma.log" -logparm "write=immediate"
-linesize max -pagesize max -nosplash -noterminal -memsize 0
-objectserver -objectserverparms "protocol=bridge port=XXXX
  trustsaspeer=blank.xml
  classfactory=2887E7D7-4780-11D4-879F-00C04F38F0DB"

Note: Because UNIX and MVS users can provide the domain information that is associated (by the AUTHPROVIDERDOMAIN option) as a default domain, any user who can executes SAS on a UNIX or MVS system could supply a trusted peer domain. Therefore, if your network has separate UNIX or MVS security domains with identical user IDs representing different actual users, it is unsafe to use the TRUSTSASPEER option. If users set the wrong domain value, they can easily be viewed as the identically named user in another domain. Data on the peer server or SAS Metadata Server could be compromised.