Options for Starting and Managing the SAS/CONNECT Spawner

Sample SAS/CONNECT Spawner logconfig.xml File

Introduction

Spawner invocation options consist of SAS/CONNECT spawner options and SAS system options that you can use to run and configure the spawner from the command line. You can use these commands when you invoke the spawner using the CNTSPAWN command in Windows or UNIX, or in a z/OS PARMS file.

Spawner invocation options can be logically grouped into these categories:

General Spawner Options
Windows Options
UNIX and z/OS Options

General Spawner Options

Use the following general options with the CNTSPAWN spawner start-up command:

-DEBUG

turns on debug level output.

-ENCRYPTFIPS

specifies that the spawner uses FIPS compliant encryption to protect communications. When -ENCRYPTFIPS is specified, only SSL and AES encryption algorithms are valid.

See	ENCRYPTFIPS System Option in Encryption in SAS
Example	The following example enables SSL and AES encryption. “SAS-installation-directory\SASFoundation\ 9.4\cntspawn.exe” –encryptfips

-HELP

specifies to print the Help message.

-LOG | -LOGFILE <filename>

specifies the filename to use for spawner log output if you are not using the -LOGCONFIGLOC option. The -LOG option should not be used with the -LOGCONFIGLOC option. If both options are specified, the -LOGCONFIGLOC option takes precedence.

You can specify the -DEBUG or -TRACE options with the -LOG <filename> option to have detailed spawner log messages sent to a log file.

Example

The following example uses the ConnectSpawner.sh script on UNIX to start the SAS/CONNECT spawner and specifies that debug-level log messages are sent to the unxspawner.log file.

ConnectSpawner.sh  -start -debug -log unxspawner.log

-LOGCONFIGLOC <filename>

enables the SAS logging facility for SAS servers and names the location of the configuration file that is used by the SAS logging facility to create spawner log output. The configuration file is an XML file that specifies and configures loggers and appenders for the SAS/CONNECT spawner. The SAS Deployment Wizard automatically creates an initial logging configuration file for the spawner named logconfig.xml that you can modify as needed to adjust your logging configuration. The file is located in the sas-installation-directory/Lev-n/ConnectSpawner/ directory on UNIX and the sas-installation-directory\Lev-n\ConnectSpawner\ directory on Windows. The file contains the pattern layout for the messages that are generated and automatically directed to an output device, such as a console or a log file. Relevant log data for the Windows spawner might include the date and time, the log level, the thread ID, and the logger.

See Sample SAS/CONNECT Spawner logconfig.xml File for an example of a spawner log configuration file in the UNIX environment.

The file-specification that defines the location of the XML configuration file must be a valid filename or a path and filename for your operating environment. If the path contains spaces, enclose the file-specification in quotation marks.

Note	If -LOGCONFIGLOC is specified, spawner messages are routed by default to the App.Connect.Spawner logger.
See	For information about using the -LOGCONFIGLOC option in the SAS Logging Facility, see LOGCONFIGLOC= System Option in SAS Logging: Configuration and Programming Reference.
Example	The following spawner start-up command invokes the SAS Logging Facility and specifies the name and location of the logging configuration file, winspawnerlog.xml. “SAS-installation-directory\SASFoundation\ 9.4\cntspawn.exe” -logconfigloc winspawnerlog.xml
Example	Sample SAS/CONNECT Spawner logconfig.xml File

-MGMTPORT

enables you to specify the service name or port number that will listen for operator connections. Operator connections are connections made through the operator port. The operator port is a unique port number that is used for administrative purposes.

Range

1- 65535

-METAENCRYPTALG algorithm | NONE

specifies the type of encryption algorithm to use when communicating with the metadata server. The following algorithms can be used: RC2, RC4, TripleDES, SAS Proprietary, and AES.

-METAENCRYPTLEVEL <level>

specifies the level of encryption when communicating with the metadata server.

-METAPASS

specifies the password of user who is to connect to metadata server.

-METAPORT <port>

specifies the port to connect to on metadata server.

-METASERVER <host>

specifies the name or IP address of the metadata server.

-METAUSER <user-id>

specifies the user ID of the user who is to connect to metadata server.

-NETENCRKEY <keysize>

specifies the number of bits in data encryption keys.

-NETENCRYPT <algorithm>

specifies that network encryption is required.

-NETENCRYPTALGORITHM <algorithm>

specifies the name of encryption algorithm.

-NOCLEARTEXT

prevents sign-ons from clients that do not support user ID and password encryption. This option prevents clients that are running older releases (prior to SAS 6.09E and SAS 6.11 TS040, which do not support user ID and password encryption) from signing on to the spawner program. However, the default permits both encrypted and plaintext user IDs and passwords.

-NOINHERITANCE

disables socket inheritance. Socket inheritance allows SAS/CONNECT servers to use the socket connection that is established between the SAS/CONNECT client and the spawner. Socket inheritance saves resources and is easier to configure when clients connect to a server that is within a firewall. Socket inheritance is enabled by default.

-NOSCRIPT

prevents sign-on from clients that use scripts, and allows sign-on only from clients that do not use scripts.

-NOSCRIPT can be useful if you want to limit SAS start-up commands to the use of the -SASCMD option or to commands defined in metadata. Specifying -NOSCRIPT restricts clients from specifying additional options in SAS start-up commands or script files. When -NOSCRIPT is specified, either -SASCMD must also be specified or logical Connect Servers must be defined in metadata.

Note: If a scriptless server defined in metadata does not have a valid spawner SASCMD value, the logical server will be ignored.

-SASCMD | -CMD <command>

Windows

specifies the SAS command or a command file that invokes SAS when a client attempts to connect to a server using the port defined by the -SERVICE command. The -SERVICE option specifies an alternate port that the spawner uses to listen for incoming requests for connection.

In Windows, you can use either a batch file, which is signified by the .bat extension, or a command file, which is signified by the .cmd extension. Here is an example of a batch file:

cd !sasroot 
sas.exe %*

The first line changes to the directory where the SAS executable is stored. The second line starts SAS. Add options as needed at this SAS start-up command.

UNIX

specifies the SAS command or a command file that starts a SAS session when you sign on without a script. If the client does not specify a script file at sign-on, the -SASCMD option must be specified when starting the spawner.

Here is a sample UNIX command file:

#!/bin/ksh 
#---------------------------------- 
# mystartup 
#---------------------------------- 
. ~/.profile 
sas -noterminal -nosyntaxcheck $* 
#------------------------------

Note: The $* positional parameter enables you to specify additional SAS options when you invoke SAS.

z/OS

specifies a UNIX System Services (USS) shell script for starting a SAS session. You must use -SASCMD and a shell script if you do not specify a sign-on script in the client session using an RLINK fileref. The script interprets the command arguments and environment variables and builds a TSO command that invokes a SAS session. For an example of a SAS start-up shell script, see Defining the Shell Script for Starting SAS.

For an example of starting the spawner in z/OS, see Encrypted Sign-on to a z/OS Spawner.

Use the -SASCMD option to do the following

invoke SAS from a directory that is not the default location
specify different SAS start-up command options
execute other statements before invoking SAS

The following options are supplied by default when you sign on using the SAS/CONNECT spawner:

-DMR -COMAMID<access-method> -NOSPLASH -ICON -NOTERMINAL

-SASDAEMONSERVICE service-name

specifies the service name or port number that the SAS/CONNECT server uses to listen for SAS child process connections. When socket inheritance is enabled, the SAS client and the SAS/CONNECT server communicate via this port. If you use a service, its name must be configured in the SERVICES file on the computer that the SAS/CONNECT server session runs on.

-SASSPAWNERCN <name>

specifies the name of the spawner definition to retrieve from the SAS Metadata Server.

If the -SASSPAWNERCN option is specified, you must either specify the -XMLCONFIGFILE option or you must specify the -METASERVER, -METAPORT, -METAUSER, and -METAPASS options. The -XMLCONFIGFILE option specifies the filename to use to get SAS Metadata Server access information. This file configures how the SAS/CONNECT Spawner will connect to the SAS Metadata Server to retrieve its configuration information.

For details about generating a SAS/CONNECT spawner definition for the SAS Metadata Server, see the Help for the SAS/CONNECT spawner server type in the Server Manager of SAS Management Console.

-SERVICE <port-number | service-name>

specifies the service name or port number to use to listen for client connections.

The -SERVICE option values that are used to start the spawner determine what will be used by the client to sign on.

In the following example, the spawner is started by specifying the port-number as the value of the -SERVICE option during spawner start-up:

“SAS-installation-directory\SASFoundation\9.4\cntspawn.exe” -service 5020

The client can then sign on by specifying the explicit port-number in the SIGNON statement:

signon node-name.5020 -mgmtport 5030

Note	If the -SERVICE option is not specified, the spawner will listen on the Telnet port (23).

-SHELL

specifies that the started SAS/CONNECT servers will allow X commands.

Without specifying the -SHELL option to the spawner, X command processing is disabled, by default.

-SSLCLIENTAUTH

specifies that the server requires client authentication for SSL connections.

-SSLCRLCHECK

specifies that the server check CRL for revoked digital certificates for SSL.

-SSPI | -NOSSPI

identifies support for the Security Support Provider Interface for single sign-on connections to the spawner. If the client and the server run under Windows and if the client does not supply a user ID and password to the server, SSPI (Security Support Provider Interface) is used to perform client authentication. SSPI authentication is disabled by default. To enable SSPI authentication, you must specify -SSPI in the spawner start-up command. In versions prior to 9.4, SSPI was enabled by default.

Default

-NOSSPI

-TRACE | VERBOSE

turns on trace level output.

-XMLCONFIGFILE "fully-qualified-path"

specifies the filename to use to get SAS Metadata Server access information. A path that includes one or more spaces must be enclosed in quotation marks.

If -XMLCONFIGFILE is used, -SASSPAWNERCN must also be used.

Alias

-OMRCONFIGFILE

Windows Options

Use the following service options to create, modify, and remove SAS/CONNECT spawner service definitions in the Windows operating environment:

-INSTALL <-INSTALLDEPENDENCIES service-name> <-SERVICEDESCRIPTION description> <-SERVICEDIRECTORY directory-name> -SERVICENAME service-name> <-SERVICEPASS password> <-SERVICEUSER user-ID>

causes an instance of a

SAS Connect Spawner

You can install each instance of the spawner by using the following command:

C:\SAS>cntspawn -install

When you install a spawner without specifying -NAME, it is installed as "SAS Connect Spawner." Instead of accepting a default name for a spawner service, you can assign a specific name to a spawner service by using the -NAME option.

If you try to install a second spawner without specifying -NAME, the attempt will fail and you will get an error.

This option can be abbreviated as -I.

-INSTALLDEPENDENCIES service-name–1<, service-name–2><, ...>

specifies the Windows service that must be started before the spawner service starts. The service-name value is the name of the dependent service that is displayed in the Microsoft Windows Services snap-in (services.msc).

Alias

-IDEP

-SERVICEDESCRIPTION "service-description"

specifies the description that you assign to the spawner that is installed and started as a Windows service, when you also specify the -INSTALL option.. The -SERVDESC option is valid only when installing the spawner using the -INSTALL option on the CNTSPAWN command. The description can be viewed with the services applet in Windows. A specified spawner description cannot exceed 256 characters and must be enclosed in quotation marks if it contains one or more spaces.

The following example shows how to use the -INSTALL, -NAME, and -SERVDESC options on the CNTSPAWN command to install a spawner named “SAS spawner 5” and specify a description, which will be displayed in the Services Control Manager Window:

cntspawn -install -servicename "SAS spawner 5" -servdesc
 "A SAS process that listens for requests to spawn SAS/Connect 
servers"

Alias

-SERVDESC

-SERVICEDIRECTORY directory

specifies the directory in which to run the Windows service, when you also specify the -INSTALL option.

Alias

-SERVDIR

-SERVICENAME "service-name"

specifies the name that you assign to the spawner that is installed, or uninstalled, and started as a service in the Windows operating environment. A specified name overrides the default name that is automatically assigned when the -INSTALL option is used.

When you install a spawner without specifying -SERVICENAME, it is installed as "SAS Connect Spawner". If you try to install a second spawner without specifying -name, the attempt will fail and you will get an error.

A specified spawner name cannot exceed 80 alphanumeric characters. A name string that includes one or more spaces must be enclosed in quotation marks.

The following example shows how to install an explicitly named spawner as a service:

cntspawn -install -servicename "Doug's spawner"

The following example shows how to uninstall an explicitly named Windows spawner by using the -UNINSTALL command:

cntspawn -uninstall -servicename "Doug's spawner"

Alias

-NAME

-SERVICEPASS password

specifies the password for the user account that spawner will run under as a service. For details about SSL, see Encryption in SAS, located in the Base SAS Help and Documentation.

Alias

-SERVPASS

-SERVICEUSER=user-ID

specifies a user name that the Windows service will run under, when you also specify the -INSTALL option. This option can be abbreviated as -SU.

Alias

-SU, -SERVUSER

-SSLCERTISS <issuer>

specifies the name of the issuer of the digital certificate that SSL should use.

-SSLCERTSERIAL <serial>

specifies the serial number of the digital certificate that SSL should use.

-SSLCERTSUBJ <subject>

specifies the subject name of the digital certificate that SSL should use.

-UNINSTALL

instructs the spawner to uninstall as a Windows service, which was previously installed and started by using the -INSTALL option.

If you used the -SERVICENAME option with the -INSTALL option to install a spawner, you can use the -SERVICENAME option with the -UNINSTALL option to identify the spawner to be removed.

cntspawn -uninstall -servicename "Doug's spawner"

Alias

-DEINSTALL or -DI

UNIX and z/OS Options

-SSLCALISTLOC <filename>

specifies the name of the file that contains the list of trusted certificate authorities.

-SSLCERTLOC <filname>

specifies the name of the file that contains the public certificate to use for SSL.

-SSLCRLLOC <filename>

specifies the location of CRL file.

-SSLPKCS12LOC <filename>

specifies the name of the file that contains PKCS12 information to use for SSL.

-SSLPKCS12PASS <password>

specifies the password to use to decrypt the PKCS12 information.

-SSLPVTKEYLO <filename>

specifies the name of the file that contains the public certificate's private key to use for SSL.

-SSLPVTKEYPASS <password>

specifies the password to use to decrypt the private key, if the private key is encrypted.

For more information about using encryption options in SAS see SAS System Options for Encryption in Encryption in SAS.

For example programs, see Encryption Technologies: Examples in Encryption in SAS.

Sample SAS/CONNECT Spawner logconfig.xml File

Here is an example of a spawner log configuration file (logconfig.xml) in the UNIX environment:

<?xml version="1.0" encoding="UTF-8"?>
<logging:configuration xmlns:logging="http://www.sas.com/xml/logging/1.0/">

   <!-- Rolling log file with default rollover of midnight -->

   <appender class="RollingFileAppender" name="TimeBasedRollingFile">
        <param name="Append" value="false"/>
        <param name="Unique" value="true"/>
        <param name="ImmediateFlush" value="true"/>
        <rollingPolicy class="TimeBasedRollingPolicy">
             <param name="FileNamePattern" value="/<SAS-configuration-directory>
              /Lev<n/ConnectSpawner/Logs/
              ConnectSpawner_%d_%S{hostname}_%S{pid}.log"/>
        </rollingPolicy>
        <layout>
            <param name="HeaderPattern" value="Host: '%S{hostname}', 
             OS: '%S{os_family}', Release: '%S{os_release}', 
             Command:'%S{startup_cmd}'"/>
            <param name="ConversionPattern" value="%d %-5p [%t] :%u - %m"/>
        </layout>
   </appender>

   <!-- Unix System Facility Appender, writes to unix system log -->
   <appender class="UNXFacilityAppender" name="UnixSysLog">
         <filter class="RepeatMatchFilter">
            <param name="AcceptOnMatch" value="false"/>
         </filter>
         <layout>
             <param name="ConversionPattern" value="%-5p [%t] :%u - %m"/>
         </layout>
   </appender>

   <!-- Administration message logger -->
   <logger name="Admin">
       <level value="Info"/>
       <appender-ref ref="UnixSysLog"/>
   </logger>

   <!-- Application message logger -->
   <logger name="App">
       <level value="Trace"/>
   </logger>

   <!-- Audit message logger -->
   <logger name="Audit">
       <level value="Info"/>
   </logger>

   <!-- IOM protocol message logger -->
   <logger name="IOM">
       <level value="Info"/>
   </logger>

   <!-- Logging Facility logger -->
   <logger name="Logging">
        <level value="Error"/>
        <appender-ref ref="UnixSysLog"/>
   </logger>

   <!-- Root logger -->
   <root>
      <level value="Error"/>
      <appender-ref ref="TimeBasedRollingFile"/>
         <!-- Caution: Do NOT edit, modify or remove the following statement. -->
         <appender-ref ref="IOMServer"/>
   </root>

   <!-- Caution: Do NOT edit or modify the configuration information below. -->
   <!-- Settings are enabled for the internal server execution environment. -->

   <!-- IOM Server Appender -->
   <appender class="IOMServerAppender" name="IOMServer">
      <param name="MaxEntries" value="10000"/>
      <layout>
         <param name="ConversionPattern" value="%d %-5p [%t] %u - %m"/>
      </layout>
   </appender>

   <!-- Event Appender -->
   <appender class="IOMEventAppender" name="Events">
      <param name="Scope" value="server"/>
         <param name="Threshold" value="Debug"/>
      <layout>
         <param name="ConversionPattern" value="%d %-5p [%t] %u - %m"/>
      </layout>
   </appender>

   <!-- Server Administration Message Logger -->
   <logger name="Perf.ARM.IOM.ConnectSpawner.ServerAdministration">
      <level value="Debug"/>
      <appender-ref ref="Events"/>
   </logger>

</logging:configuration>