System Options for SAS Application Server Components |
Valid in: | configuration file, SAS invocation, metadata |
Category: | Environment control: Initialization and operation |
System Administration: Security | |
PROC OPTIONS GROUP= | EXECMODES |
SECURITY | |
Default: | negotiate |
Restriction: | Windows operating environment |
Applies to these servers: | workspace, stored process, OLAP, metadata, table, CONNECT |
See: | SECPACKAGELIST System Option |
SSPI System Option |
Syntax | |
Syntax Description | |
Details | |
Examples | |
See Also |
Syntax |
-secpackage "package-name" | " negotiate" |
specifies the security package that the IOM server should use to authenticate incoming client connections.
Enclose the security package name within double quotation marks (").
(default) enables the server to present a set of valid security packages (through the SECPACKAGELIST system option) that the server uses to find a match with an incoming client connection. If the client specifies a security package in the list, then the server attempts to authenticate the client using the matched security package.
Enclose negotiate within double quotation marks (").
Details |
The SECPACKAGE system option identifies the security package that the IOM server uses to authenticate incoming client connections.
Security packages are provided by vendors. Therefore, the package names are not validated against a list of names. Names need to be entered (casing and exact spelling) per instructions from the vendor.
When you specify -SECPACKAGE "negotiate", the IOM server uses the SECPACKAGELIST option to determine which package to use. SECPACKAGELIST specifies the names of the security packages that can be used by the server to authenticate incoming client connections. SECPACKAGE and SECPACKAGELIST are required to support single sign-on (SSO) to IOM servers. The client should initialize with a matching package name. Specifying an unknown package name (such as "disable") will effectively disable SSO.
In order to use SECPACKAGE, you must also specify SSPI.
Examples |
EXAMPLE 1:
In the following example, the IOM server specifies either Kerberos or NTLM security for authenticating incoming client requests:
-sspi -secpackage "negotiate" -secpackagelist "Kerberos,NTLM"
EXAMPLE 2:
In the following example, the IOM server specifies Kerberos security only for authenticating incoming client requests:
-sspi -secpackagelist "kerberos"
In the preceding example, SECPACKAGE does not have to be specified because it defaults to negotiate. The only protocol in the list to negotiate is Kerberos. Therefore, all clients that connect to the server must use Kerberos or fail the connection. It is important that the protocols of both the client and server match. The client is also forced to use Kerberos if the server displays only Kerberos in the package list.
EXAMPLE 3:
In the following example, the IOM server specifies NTLM security only for authenticating incoming client requests:
-sspi -secpackagelist "ntlm"
In the preceding example, SECPACKAGE does not have to be specified because it defaults to negotiate. The only protocol in the list to negotiate is NTLM. Therefore, all clients that connect to the server must use NTLM or fail the connection. It is important that the protocols of both the client and server match. The client is also forced to use NTLM if the server displays only NTLM in the package list.
See Also |
System Options: |
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.