SAS 9.1.3 Integration Technologies » Server Administrator's Guide

Security
Overview of Domains
Implementing Authentication
Host Authentication
Trusted Authentication Mechanisms
Alternative Authentication Providers
Defining Users, Groups, and Logins on the SAS Metadata Server
Implementing Authentication and Authorization for Xythos WFS WebDAV
Scenario
Implementing Encryption
Setting Up Additional Server Security
Planning the Workspace and Stored Process Server Security
Spawner Security
Scenario: Spawner and Load-Balancing
Pooling Security
Scenario: Pooling
Load Balancing Security
Scenario: Load-Balancing Across Two Machines
Implementing Security in Client Applications
Security

Implementing Encryption with Integration Technologies

You can implement encryption for COM/DCOM and IOM Bridge Server connections:

  • For COM/DCOM connections, encryption is enabled by using an AuthenticationLevel of Packet Privacy. By default, DCOM uses the RC2 encryption algorithm. You can set the authentication level for a DCOM object using the Windows dcomcnfg utility.

  • For IOM Bridge Server connections, the IOM Bridge for Java and IOM Bridge for COM have the ability to encrypt all messages exchanged with the IOM server, using a two-tiered security solution. The first tier is the SASProprietary encryption algorithm. The second tier is made up of standards-based RC2, RC4, DES, and Triple DES encryption algorithms.

    • The first-tier encryption algorithm, the SAS proprietary encryption algorithm (SASProprietary), is appropriate for use in applications where you want to prevent accidental exposure of information while it is being transmitted over a network between an IOM Bridge and an IOM server. Access to this encryption algorithm is included with your Base SAS license, and the Java and Windows implementations are integrated into the IOM Bridge for Java and the IOM Bridge for COM.

    • The second-tier encryption algorithms are appropriate for use in applications where you want to prevent exposure of secret information. Using these algorithms makes it extremely difficult to discover the content of messages exchanged between an IOM Bridge for Java (or IOM Bridge for COM) and an IOM server. To use these algorithms you must license the SAS/SECURE software.

Specifying Server Encryption Settings for IOM Bridge Connections

To enable encryption for an IOM Bridge connection, you must specify an encryption algorithm and an encryption level.

Specifying the Encryption Algorithm.

Depending on how your server is configured, do one of the following:

  • For servers that are not configured using SAS Management Console, specify an encryption algorithm using the NETENCRYPTALGORITHM system option in the server startup command. The NETENCRYPTALGORITHM option can also be specified as NETENCRALG. The syntax for this option is

    -NETENCRYPTALGORITHM "algorithm" | ("algorithm", "algorithm"...)

    Where algorithm is one of the following values:

    • SASProprietary
    • RC2
    • RC4
    • DES
    • TripleDES

    Note: If you do not have a license for SAS/SECURE, you can only specify the SASProprietary algorithm.

    There is no default encryption algorithm for servers that are not configured using SAS Management Console.

  • For servers that are configured using SAS Management Console, you can specify an encryption algorithm using either the NETENCRYPTALGORITHM system option (in the Command field of the server definition) or the Server Encryption Algorithms field . If you specify a value both in the server command and in the Server Encryption Algorithms field, the value from the server command is used.

    The default algorithm for servers that are configured using SAS Management Console is SASPROPRIETARY.

Specifying the Encryption Level

Depending on how your server is configured, do one of the following:

  • For servers that are not configured using SAS Management Console, specify the encryption level using the CLIENTENCRYPTIONLEVEL object server parameter. You can specify the following values:

    NONE
    nothing is encrypted.
    CREDENTIALS
    the login credentials are encrypted
    EVERYTHING
    all client-server communications are encrypted

    Note: CLIENTENCRYPTIONLEVEL can also be specified as CEL.

    Servers that are not configured using the SAS Management Console have a default encryption level of none.

  • For servers that are configured using SAS Management Console, you can specify the encryption level using either the CLIENTENCRYPTIONLEVEL object server parameter (in the Object Server Parameters field of the server definition) or the Required Encryption Level field . If you specify a value both in the server command and in the Required Encryption Level field, the value from the server command is used.

    Servers that are configured using the SAS Management Console have a default encryption level of credentials.

Specifying Server Encryption Settings for DCOM Connections

Encryption for DCOM connections is dependent on your Windows DCOM settings. If you enable encryption for a DCOM connection, all communications between the client and server are encrypted using the RC2 algorithm. SAS/SECURE is not required to use RC2 with DCOM.

To enable encryption for DCOM connections, perform the following steps:

Windows NT/2000

  1. From the Windows taskbar, select Start arrow Run.
  2. Type dcomcnfg and click OK. The Distributed COM Configuration Properties dialog box appears.
  3. Select the Applications tab. This tab displays a list of AppIDs. To determine which AppID corresponds to your IOM server, see AppIDs for Configuring DCOM.
  4. Select the AppID for the type of IOM server that you wish to set encryption for. Click Properties. The Properties dialog box for the selected IOM server appears.
  5. On the General tab, expand the Authentication Level drop-down list and select Packet Privacy.
  6. Click Apply to apply the settings and OK to close the dialog box.

Windows XP

  1. From the Windows taskbar, select Start arrow Run.
  2. Type dcomcnfg and click OK. Component Services window appears.
  3. In the left panel, expand the entries as follows: Component Services arrow Computers arrow My Computer -> DCOM Config.
  4. From the left panel, select DCOM Config. In the right panel, a list of AppIDs appears. To determine which AppID corresponds to your IOM server, see AppIDs for Configuring DCOM.
  5. Select the AppID for the type of IOM server that you wish to set encryption for. Click Properties. The Properties dialog box for the selected IOM server appears.
  6. On the General tab, expand the Authentication Level drop-down list and select Packet Privacy.
  7. Click Apply to apply the settings and OK to close the dialog box.

Specifying Client Encryption Settings

Depending on which type of client you are configuring, see the appropriate security section for client encryption settings:

  • For Java clients, see the com.sas.services.connection class documentation for details about how to use the encryption features.

  • For Windows clients, see Windows Client Security in the Windows Clients section of the SAS Integration Technologies: Developer's Guide for details on how to use encryption.