Security
Implementing Trusted Authentication MechanismsFor multi-tier server environments where user IDs are already authenticated by a server or Web server's authentication mechanism and then must assert those identities on the metadata server, the authorization facility supports two types of trusted connections: trusted user connections and trusted peer session connections. User IDs that are used to connect to servers via the trusted user or trusted peer session mechanisms do not need to have an account on the authentication provider for the SAS Metadata Server's machine. Trusted User ConnectionsThe trusted user mechanism enables already authenticated users (from middle-tier servers, or peer servers that run on the server tier) to connect to a SAS Metadata Server as trusted user connections. You must set up the appropriate authentication provider (host, LDAP, or Active Directory) for the trusted user; other users that connect via the trusted user do not require an account on the SAS Metadata Server's authentication provider as the SAS Metadata Server trusts that they have been authenticated at the server. After you set up a trusted user in the For information about setting up a trusted user for the SAS Metadata Server, see Overview of Initial Users and Groups in the SAS Intelligence Platform: System Administration Guide. Trusted Peer Session ConnectionsA trusted peer session connection enables a SAS process to establish a connection to a SAS Metadata Server without explicitly specifying the user ID and password to use for the connection. This feature enables the following:
For a SAS Metadata Server, you can allow a SAS Workspace Server or SAS Stored Process Server to connect to the metadata server as a trusted peer session. The trusted peer connection works as follows:
Important Note: Use of this proprietary protocol implies that the SAS Metadata Server trusts the authentication mechanism of the connecting server. You must implement the appropriate security for your network to prevent untrusted machines and untrusted authentication that could compromise the SAS Metadata Server. Setting up Trusted Peer Connections for SAS SessionsYou can set up trusted peer sessions for peer servers (or sessions) that run on the server tier, on Windows and other systems. The following table shows the server (or session) environment from which you wish to connect, whether you use the AUTHPROVIDERDOMAIN (AUTHPD) option or AUTHSERVER option on the SAS Metadata Server startup command, how to specify the trusted peer option on the SAS Metadata Server startup command, and who can connect as a trusted peer connection when using the specified setup:
Note: If the peer SAS session specifies a domain in its connection request (or has a domain associated to it by the AUTHPROVIDERDOMAIN (or AUTHSERVER) option), to allow that peer to connect, you must create a trusted peer file and include that domain as a trusted domain. To understand the AUTHPROVIDERDOMAIN (or AUTHSERVER) option, if you are using host authentication, see Specifying Default Host Domains When Starting Servers That Only Use Host Authentication. If you are using alternate authentication, see Specifying Authentication Provider and Default Domains When Starting Servers. Setting up a Trusted Peer FileTo set up a trusted peer file, create
a file (for example, <?xml version="1.0"?> <!-- Specify which Windows Domain > <!-- suffixes we will allow> <TrustedSASDomains> <!-- Allow the domain "Domain0" when > <!-- peer SAS Session is executing on UNIX host> <unix>Domain0</unix> <!-- Allow the domains "Domain1" and "Domain2" when > <!-- peer SAS Session is executing on z/OS host> <os390>Domain1</os390> <os390>Domain2</os390> <!-- Allow the domain "Domain3" when > <!-- peer SAS Session is executing on AlphaVMS host> <vms>Domain3</vms> </TrustedSASDomains> Note: The trusted peer file is only required when the AUTHPROVIDERDOMAIN (or AUTHSERVER) option is specified upon startup of the SAS Metadata Server. ExampleThe following is an example of a Windows SAS Metadata Server start command that specifies trusted peer support which enables peer Windows servers (or sessions) that run on the server tier to connect as trusted peers: "where_your_sas_is_installed\sas.exe" -log "C:\sasoma\logs\sasoma.log" -logparm "write=immediate" -linesize max -pagesize max -nosplash -noterminal -memsize 0 -objectserver -objectserverparms "protocol=bridge port=XXXX trustsaspeer=blank.xml classfactory=2887E7D7-4780-11D4-879F-00C04F38F0DB" Note: Because UNIX and MVS users can provide the domain information that is associated (by the AUTHPROVIDERDOMAIN option) as a default domain, any user who can executes SAS on a UNIX or MVS system could supply a trusted peer domain. Therefore, if your network has separate UNIX or MVS security domains with identical user IDs representing different actual users, it is unsafe to use the TRUSTSASPEER option. If users set the wrong domain value, they can easily be viewed as the identically named user in another domain. Data on the peer server or SAS Metadata Server could be compromised. |