Contents Using the Workspace Manager Previous Next

Launching IOM Servers

IOM servers can be launched in two ways:

  1. Unadministered, standalone, one-time

    The typical reason this scenario is selected is that it facilitates the use of an OLE DB provider along with a SAS Workspace. While it is possible to use OLE DB without the workspace manager, the only way to use OLE DB with a live SAS Workspace interface is by using the workspace manager.

  2. Administered, networked

    This allows launching of SAS Workspaces from a shared repository (either in a file or LDAP server). This allows you to launch SAS without regard to the hardware platform or communications protocol (COM, DCOM, or the IOM Bridge for COM) that is being used. This also supports simultaneous OLE DB and SAS Workspace interaction.

Definitions

There are three definitions that can be created to assist in launching an IOM Server:

  1. Server definition (ServerDef)

    A server definition must be created before an IOM Server can be launched with the workspace manager. The server definition can either be loaded from persistent storage (a file or LDAP server), or created dynamically. A ServerDef includes a Logical Name attribute. The server definition is independent of the user.

  2. Login definition (LoginDef)

    This is user-specific information such as a user name and password. Login definitions are a convenience and are not required for creating a connection to an IOM server. They provide a mechanism for storing persistent definitions of user names and passwords.

    LoginDefs also allow multiple definitions for the same user on different security domains. For example, you could use one user name and password on MVS and a different one for UNIX. This is also possible without the use of a login definition, but the user will need to enter the username/password each time a server is launched.

  3. Logical name definition (LogicalNameDef)

    The logical Name definition allows a description to be associated with each logical name used in a server definition. Logical name definitions are not used to launch a server. However, a logical name is required to launch a server when using the login definition.

These definitions may be stored in a file on the local system or may be stored in a network directory (LDAP server).

Finding Definitions

The SAS Workspace Manager can access system-wide state information that is stored in the Windows registry. This system-wide state consists of three search specifications for finding launch information:

  1. A per-user file for local computer storage.

  2. A local computer system-wide file.

  3. An LDAP container (network directory folder) in which server definitions may be found. The SASWorkspaceManager will find definitions directly in this folder and can also find pointers to other containers in this folder.

This information is designed to make it easy to find launch information in a standard location. Also, UI applications can immediately list launch definitions found there.

Definition Persistence

Login and Server definitions can be stored using either LDAP or via an LDIF file.

LDAP

Persistence in LDAP is done through two objectclasses: sasServer and sasLogin. The BaseDN parameter of SetLDAPServer specifies the start of the SAS application tree.

LDIF file

The LDAP Data Interchange Format (LDIF) is the standard for the interchange of LDAP data. The SAS Workspace Manager has the ability to read LDIF files.

Note that LDIF specifies that each object definition start with a DN, but we don't actually know the full DN of any object. The part that is not known is replaced with "$SUFFIX$" to allow administrators to use an automated search/replace mechanism should they want to import a file into LDAP.

This format is also supported by the SAS Spawner.

Security Considerations

The userid that is used to log on to SAS will be determined when the workspace is launched. Once launched, the userid cannot be changed.

Stored passwords are not encrypted. This applies to both LDAP entries and files.

The information in a file is only restricted by the permissions on the file. If you are concerned about security, you may not want to use files to store LoginDefs.

Administrators of LDAP servers should configure the directory such that the right to read each LoginDef is restricted to the owner of the LoginDef. Granting access to a LoginDef allows a user to start SAS and log on as the User defined in the LoginDef. It also allows the user to view the password. Also note that the password is sent across the wire in plaintext.


Contents Using the Workspace Manager Previous Next