Securing SAS BI Web Services

A default installation of SAS BI Web Services for Java or .NET is not highly secure. All requests and responses are sent as cleartext, and if a user wants to authenticate as a specific user, then they must send a user name and password as cleartext as part of the Properties element. Whenever user names and passwords must be sent as cleartext, SSL should be enabled to provide transport layer security. See the following links for more information about enabling SSL:

• The Tomcat 4 Servlet-JSP Container: SSL Configuration HOW-TO
• Managing WebLogic Security: Configuring SSL
• How To Enable SSL for All Customers Who Interact with Your Web Site in Internet Information Services

With SAS 9.1.3 Service Pack 4, SAS BI Web Services for Java can be secured using trusted Web server authentication. This provides a way for SAS BI Web Services for Java to identify the calling user using basic Web server authentication. See Securing SAS BI Web Services for Java for more information.

SAS BI Web Services for .NET can be secured using Web Services Enhancements 2.0 for Microsoft .NET, which enables support for the latest security and interoperability standards for Web services. For detailed information about using Web Services Enhancements 2.0, WS-Security, and WS-Policy to secure SAS BI Web Services, see Securing SAS BI Web Services for .NET with WSE 2.

The current release of SAS BI Web Services for Java does not support WS-Security or WS-Policy.