Authentication Mechanisms |
Summary | The metadata server accepts peer SAS sessions and servers that connect using a proprietary protocol (trusting that those connecting identities have already been properly authenticated). |
Scope | From any SAS session or SAS IOM server process to the metadata server. The scope is configurable. |
Benefits | Enables a SAS/CONNECT server to access the metadata server. Facilitates connections to the metadata server during batch processing.1 |
Limits | It is important to minimize availability of this feature. |
Use | Optional2 |
1
In a Windows environment, it is safer to instead
use Integrated
Windows authentication to support connections back to the metadata server
during batch processing.
2 If you use your operating system scheduler to run metadata backup jobs, make sure that trusted peer connections from the host account that runs those jobs are allowed. |
In the initial configuration, the metadata server's start command includes TRUSTSASPEER=trustedPeers.xml. The contents of the file trustedPeers.xml (which is located in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/) make all user IDs and machines eligible to connect to the metadata server using the trusted peer protocol.
For greater security, we recommend that you target this mechanism so the metadata server does not accept every connection that uses the proprietary protocol. You can use either or both of these constraints:
accept only specified user IDs
accept only connections that originate from specified machines
You define the constraints in these sections in trustedPeers.xml:
lists eligible client types. SAS and java are the valid values. It is recommended that you reject connections from Java clients. Typically, there is only one entry between the TrustedSASPeerClients tags:
<client name="SAS"/>
lists eligible user IDs. To represent all users, use an asterisk (*). To represent all users in a Windows domain, use the format *@domain. For Windows accounts, provide domain-qualified (or machine-qualified) IDs. For example, you might insert these three entries between the TrustedSASPeerUsers tags:
<user name="*@winXP"/> <user name="tara"/> <user name="batchjobID"/>
lists eligible points of origin. Identify machines by IP address. You can use asterisks (*) as wildcards. For example, you might insert these three entries between the TrustedSASPeerMachines tags:
<machine ip="1.2.3.4"/> <machine ip="A:B:C:D:E:F:1.2.3.4"/> <machine ip="*.*.8.9"/>
Note: Only connections that meet all specified criteria are accepted. If any of the sections are empty, no trusted peer connections are allowed.
Note: An additional constraint, TrustedSASDomains, is supported for backwards compatibility but will be deprecated in a future release.
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.