SAS 9.1.3 Integration Technologies » Server Administrator's Guide

Security
Overview of Domains
Implementing Authentication
Host Authentication
Trusted Authentication Mechanisms
Alternative Authentication Providers
Defining Users, Groups, and Logins on the SAS Metadata Server
Implementing Authentication and Authorization for Xythos WFS WebDAV
Scenario
Implementing Encryption
Setting Up Additional Server Security
Planning the Workspace and Stored Process Server Security
Spawner Security
Scenario: Spawner and Load-Balancing
Pooling Security
Scenario: Pooling
Load Balancing Security
Scenario: Load-Balancing Across Two Machines
Implementing Security in Client Applications
Security

Planning the Load Balancing Security (IOM Bridge only)

Note: For SAS Integration Technologies 9.1, you can only set up load balancing for SAS Stored Process and SAS Workspace Servers.

For an overview of load balancing, see Overview of Load Balancing.

A load-balancing configuration uses a spawner to start servers. When you configure the spawner, you must plan for the appropriate login definitions. (For details, see Planning the Spawner Security). In addition, for load-balancing across spawners, you must plan for additional configuration security; this security will be implemented differently depending upon whether you use a SAS Workspace Server or SAS Stored Process Server:

  • For load-balancing SAS Stored Process Servers, the user ID in the spawner's metadata configuration file must be able to access the multi-user login (specified on the Credentials tab of the server definition) and, if specified, the operator user ID (specified in the spawner definition). In addition, when you configure load balancing across different spawners, you must specify a login definition (the logical server credentials) within the load-balancing configuration; the user ID in the spawner's metadata configuration file must also be able to access this login definition (the logical server credentials).

  • For load-balancing SAS Workspace Servers, the user ID in the metadata configuration file must be able to access the operator user ID, if it is specified. In addition, when you configure load balancing across different spawners, you must specify a login definition (the logical server credentials) within the load-balancing configuration; the user ID in the spawner's metadata configuration file must also be able to access this login definition (the logical server credentials).

For a scenario that shows how to set up load-balancing security with one spawner, see Scenario: Security Configuration for Spawner and Load-Balancing . For a scenario that shows how to set up load-balancing security across spawners, see Scenario: Security Configuration for Load-Balancing SAS Stored Process Servers Across Two Machines.

The following table summarizes the credentials required for load-balancing security configuration:

Locations Where Credentials Are Specified for Load Balancing
User ID or Login Definition Location Where Credentials Are Specified Description Requirements
user ID in the spawner's metadata configuration file

In the metadata configuration file

Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the metadata configuration file named OMRConfig.xml (located in the ObjectSpawner directory) contains the SAS Trusted User credentials.

The credentials that the spawner uses to access the metadata server. The user ID that you specify must be able to access metadata for the operator login (ID) and if specified, the multi-user login definition.

Note: Do not specify an unrestricted user for the user ID in the metadata configuration file.
operator login for spawners (optional) In the SAS Management Console spawner definition:
Initialization: Operator Login arrow  Operator Login 

Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the operator login is not specified by default.

 The Administrator login definition to access the operator port of the spawner.

The login definition must be one of the following:

  • the login definition for the user ID that you specified in the metadata configuration file

  • a login definition that the user ID in the metadata configuration file can access
multi-user login for SAS Stored Process Servers In SAS Management Console stored process server definition:
Options  arrow  Advanced Options  arrow  Credentials arrow  Login

Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the login for the SAS General Servers group is specified.

 The user ID that is used to launch SAS processes on a multi-user server.

The login definition must be one of the following:

  • the login definition for the user ID that you specified in the metadata configuration file

  • a login definition that the user ID in the metadata configuration file can access
logical server credentials (for load-balancing across multiple spawners) In SAS Management Console logical server definition:
Load Balancing  arrow  Logical Server Credentials		 The login definition that is used by spawners to connect to other spawners for load balancing.

The login definition must be one of the following:

  • the login definition for the user ID that you specified in the metadata configuration file

  • a login definition that the user ID in the metadata configuration file can access

Load-Balancing Security Scenario: Recommended Configuration

Load Balancing Diagram

The previous diagram shows a recommended load-balancing configuration that consists of the following server and security definitions on the SAS Metadata Server:

  • two clusters (load-balancing logical servers): Cluster 1, which contains 1 server, and Cluster 2, which contains 2 servers. Cluster 1 contains 1 server and spawner on the same machine; Cluster 2 contains 2 servers and spawners on different machines.

  • a user metadata identity for the server administrator, ServerAdmin, whose login credentials (not shown) are specified in the spawners' metadata configuration file and are used to access the multi-user login (for SAS Stored Process Servers), the logical server credentials (when load balancing across spawners), and the operator ID, if one is specified.

  • two group metadata identities for server administration. The two group metadata identities, Cluster1Logins and Cluster2Logins, each own a group (shared) login definition that is used as follows:

    • For SAS Stored Process Servers, as the multi-user login credentials to start the SAS servers in Cluster 1 and Cluster 2.

    • For SAS Stored Process or SAS Workspace Servers that load-balance across spawners, as the logical server credentials.

    The server administrator, ServerAdmin, belongs to both the Cluster1Logins and the Cluster2Logins groups. Because ServerAdmin is a member of each of the groups that contain the multi-user and logical server credential login definitions for Cluster1 and Cluster 2, ServerAdmin can access all of the multi-user and logical server credential login definitions. Note that the login definitions for the multi-user logins must have the same authentication domain as the servers in their respective clusters.

Note: If you set up a load-balancing SAS Stored Process Server using an Advanced or Personal installation (with SAS Configuration Wizard), then you have a load-balancing configuration with one or more SAS Stored Process Servers (and three MultiBridge connections on each server) in one cluster (for example, Cluster 1) named SASMain - Logical Stored Process Server and security configured as follows:

  • the user metadata identity for server administration is the SAS Trusted User. The SAS Trusted User's credentials (for example, sastrust) are specified in the spawner's metadata configuration file.

  • the group metadata identity for server administration is SAS General Servers group. The multi-user login definition (configured in the stored process server definition) is the login for the SAS General Servers group (for example, sassrv).

You can then add additional servers and spawners to the load-balancing logical server (cluster) or add another load-balancing logical server (cluster) in a new SAS Application Server, as diagrammed in the recommended configuration above.

Planning the Security

To plan for the appropriate load-balancing security, for each load-balancing logical server (cluster), follow these steps:

  1. For SAS Stored Process Servers, plan for the multi-user login definition (on the SAS Metadata Server) and user ID for the spawner's metadata configuration file. It is recommended that you specify the same multi-user login for each server in a cluster. To set up multi-user login definitions for each cluster, you must enable the user ID in the spawner's metadata configuration file to view the multi-user login definitions on the SAS Metadata Server. For details, see Enabling the User ID in the Spawner's Metadata Configuration File to View Spawner/Server Login Definitions. For each cluster, to set up a multi-user login definition and user ID for the spawner's metadata configuration file, plan to implement the following login definition, user, and group structure on the SAS Metadata Server:

    1. Define a group metadata identity.

    2. Define a multi-user login definition as the group (shared) login definition for the group in step a. Depending on which user ID is used for the user ID in the spawner's metadata configuration file, set up the user ID for the spawner's metadata configuration file as follows:

      • If the user ID in the spawner's metadata configuration file is the same user ID as the multi-user login definition's user ID, no additional user and group setup is required.

      • If the user ID in the spawner's metadata configuration file is not the multi-user login's user ID, set up a user metadata identity and login definition for the login credentials (user ID and password) in the spawner's metadata configuration file. Add this user metadata identity as a member of the group metadata identity (from Step a) that contains the multi-user login definition as the group (shared) login definition. (You can also create a group of spawner administrators and add that group to the group that contains the multi-user login definition as the group (shared) login).

    Note: Because the load-balancing stored process server runs under the multi-user login credentials, the operating system account for these credentials must have access to any operating system resources used by stored processes that are hosted on this server.

  2. If you implement more than one spawner, plan for the logical server credentials (on the load-balancing logical server definition on the SAS Metadata Server) for the spawner to use to access other spawners for load balancing. The user ID specified in the spawner's metadata configuration file must also be able to access the login definition that is specified on the logical server credentials in the load-balancing logical server definition (on the SAS Metadata Server). For details, see Planning the Spawner Security.

    • For SAS Stored Process Servers, the recommended configuration specifies the same user ID for the multi-user and logical server credentials.

    • For SAS Workspace Servers, the recommended configuration specifies the logical server credentials as a group login for the group of users who are the server administrators. Plan to implement the following login definition, user, and group structure on the SAS Metadata Server:

      1. Define a group metadata identity.

      2. Define the logical server credentials login definition as the group (shared) login definition. Depending on which user ID is used for the user ID in the spawner's metadata configuration file, set up the user ID for the logical server credentials login as follows:

        • If the user ID in the spawner's metadata configuration file is the same user ID as the logical server credentials login definition's user ID, no additional user and group setup is required.

        • If the user ID in the spawner's metadata configuration file is not the logical server credentials user ID, set up a user metadata identity and login definition for the login credentials (user ID and password ID) in the metadata configuration file. Add this user as a member of the group (from Step a) that contains the logical server credentials login definition as the group (shared) login definition. (You can also create a group metadata identity of spawner administrators and add that group to the group that contains the logical server credentials as the group (shared) login definition).

    If multiple spawners are used with load balancing (for example, when multiple machines are used in load balancing) and the spawners connect to the metadata server using different user or group metadata identities, you must add the user or group metadata identities to the group you use for the group (shared) logical server credentials and multi-user login definition (SAS Stored Process Servers only).

  3. Plan to grant the "Administer" permission (on the load-balancing logical server definition) to the user or group metadata identity that owns the logical server credentials. On the load-balancing logical server definition, you must plan to grant the "Administer" permission to the user (or group) metadata identity that owns the logical server credential's login definition.

  4. Plan to control access to the load-balancing logical server. You must control access for who is authorized to update the load-balancing logical server. To control who can update the load-balancing logical server, in SAS Management Console, you must use the Authorization tab for the load-balancing logical server to do both of the following:

    • Deny "WriteMetadata" permission to the Public group.
    • Grant "WriteMetadata" permission to your metadata administrator.

  5. Plan to control access to the data on the servers. For each server you must control access to the data on the server, either through authorization (access control) metadata (see the Authorization Manager and User Manager plug-in help in the SAS Management Console) or file system access on your host system.

Understanding Authentication

When you implement a load-balancing spawner and server configuration, the user who starts the server, the login definitions specified in the spawner, server, and load-balancing logical server configuration, and the clients who connect to the servers must be authenticated against the appropriate authentication provider. The following table shows the location where the credentials are authenticated:

Locations Where Credentials Are Authenticated
Type of Credentials User ID Role Authentication Location
Standard Spawner and Server Configuration the user ID for the operator login no authentication
for SAS Stored Process Servers, user ID for the multi-user login host authentication provider for the SAS Stored Process Server's machine
Load Balancing Logical Server Configuration user ID of the logical server credentials (on the load-balancing logical server definition) host authentication provider for the local server's machine and the host authentication provider on the machine of the other spawners to which it connects. You can use a network account to provide host authentication for the appropriate machines.
Connections to Load-Balancing Spawner and Server the client user ID host authentication provider for the SAS Stored Process or SAS Workspace Server's machine