Windows: TCP/IP Access Method

Prerequisites for Using TCP/IP under Windows

Task List

System Administrator or User

Verify that software requirements are met.
If running the SAS/CONNECT or SAS/SHARE server secured, you must understand user contexts and know the two methods for authenticating clients.
If using network security, set the appropriate SAS options.
Set the appropriate SAS/CONNECT and SAS/SHARE options.

Software Requirements

Ensure that the following requirements are met:

Base SAS and either SAS/CONNECT or SAS/SHARE are installed on both the client and the server.
The Microsoft TCP/IP System Driver that is provided with the Windows operating environment is installed and configured.

Contexts for User IDs

User Context: Definition

User context is the identifying credentials of the client who is attempting to access a secured server. Identifying credentials include the user ID, password, and file access permissions. Users can specify their own user context or a different user context when accessing a server.

Users specify their own user contexts when logging on to a server by using their user IDs and passwords to access files that they have permission to access.

Users can specify different user contexts when logging on to a server by using someone else's user ID and password. Supplying someone else's user ID and password gives permission to users to access files that they might otherwise be denied access to. A system administrator's user ID and password is an example of a different user context that might be specified. Such a context does not belong to the user but can be granted to the user for access to specific files.

Accessing a Secured Server Using Your Own Context

To access a secured server by using your own user context, specify your user ID and password.

Note: If SSPI (Security Support Provider Interface) is available, you do not need to specify a user ID and password. For details, see SSPI. [cautionend]

Accessing a Server Using a Different Context

To access a server by using a different context, specify the appropriate user ID and password.

Note: If SSPI is available, you must specify the user ID explicitly in a sign-on script or as an option in the SIGNON statement for SAS/CONNECT or in the LIBNAME statement for SAS/SHARE. For details, see SSPI. [cautionend]

SAS/CONNECT and SAS/SHARE Server Security

Security for a SAS/CONNECT or a SAS/SHARE server's resources can be enforced only by authenticating the identity of the user who runs the client session that is accessing the server session.

Two methods are available for authenticating a client's identity:

simulated logon
Microsoft SSPI

For complete details about server security, see Data Security for SAS/CONNECT or SAS/SHARE Servers.

SAS/CONNECT and SAS/SHARE Network Security

Encryption is the process of transforming plaintext into a less readable form (called ciphertext) by using a mathematical process. The ciphertext is translated back to plaintext for anyone who can supply the appropriate key, which is necessary for decrypting (or unlocking) the ciphertext.

For complete details about setting up and using encryption, see Encryption in SAS. After encryption is set up in your environment, you set SAS encryption options that are appropriate to the encryption service and to the requirements of the client or the server session.

SAS/CONNECT Options Only

TCPMSGLEN n

defines the size of the buffer (in bytes) that the TCP/IP access method uses for breaking up a message that it sends to or receives from the SAS/CONNECT application layer during a SAS/CONNECT session. The application layer uses a message size that is stored in the TBUFSIZE option (default 32768) that you can specify in the SIGNON statement or as a SAS option. For details, see the TBUFSIZE= system option in the SAS/CONNECT User's Guide.

If TBUFSIZE is larger than TCPMSGLEN, the TCP/IP access method breaks the message into a buffer whose size is defined by TCPMSGLEN and issues the number of send and receive messages that are necessary to complete the message transaction.

The value for TCPMSGLEN (default=16384) must be set at both the client and the server. If the values that are set for TCPMSGLEN at the client and at the server are different, the smaller value of the two is used during the SAS/CONNECT session.

Example:

-set tcpmsglen 8192

TCPPORTFIRST=port-number(set at the server) TCPPORTLAST=port-number(set at the server)

restrict the range of TCP/IP ports that clients can use to remotely access servers.

Within the range of 0 through 32767, assign a beginning value to TCPPORTFIRST and an ending value to TCPPORTLAST. To restrict the range of ports to only one port, set the values for TCPPORTFIRST and TCPPORTLAST to the same number. Consult with your network administrator for advice about these settings.

At the server, you can set TCPPORTFIRST and TCPPORTLAST in a SAS start-up command or in the configuration file.

In the following example, the server is restricted to the TCP/IP ports 4020 through 4050:

options tcpportfirst=4020;
options tcpportlast=4050;

TCPTN3270 (set at the client)

TCPTN3270 is an environment variable that supports connections to z/OS servers that use the full-screen 3270 Telnet protocol. The script file TCPTSO32.SCR is provided. See SAS/CONNECT Sign-on Scripts for TCP/IP under Windows for a complete list of sign-on scripts.

Set TCPTN3270 to the value of 1 at the Windows client in the SAS configuration file or in an OPTIONS statement.

Examples:

-set tcptn3270 1

options set=tcptn3270 1;

If you do not set this variable, the TCP/IP access method uses the Telnet line-mode protocol by default.

SAS/SHARE Options Only

AUTHSERVER domain-or-server

specifies the location of the database that contains the user ID and password pairs that are used for validation.

You can specify the AUTHSERVER option in an OPTIONS statement in a SAS session or in an AUTOEXEC file, in a SAS configuration file, in a SAS invocation, or as a SAS macro variable.

You can also specify a single domain in the form domain\user ID when you provide your user ID to the Windows environment.

Example:

signon user=apex\bass password=time2go;

The domain name apex identifies the location of the user ID and password database. The user ID bass and the password time2go will be verified in the apex user ID and password database.

TCPSEC=_SECURE_ | _NONE_ (set at the server)

specifies whether the TCP/IP access method verifies user access authority before allowing clients to access the server. The TCPSEC option must be set at the server before the server session is started. The default is _NONE_.

_SECURE_: requires that the TCP/IP access method verify the authority of clients that attempt to access the server. Each client must supply a user ID and a password that are valid at the server.
_NONE_: specifies that the TCP/IP access method does NOT authenticate SAS/SHARE clients that attempt to access the server.

Examples:

%let tcpsec=_secure_;
%let tcpsec=_none_;

Top of Page