Chapter Contents
Previous
Next
|
Chapter Contents |
Previous |
Next |
| Communications Access Methods for SAS/CONNECT and SAS/SHARE Software |
| Client Tasks |
Note: Server security is supported on the Windows NT platform only. ![[cautionend]](../common/images/cautend.gif)
To prepare for accessing a SAS/SHARE server, perform the following tasks:
| Configuring the Server in the SERVICES File |
Each server must be defined as a service in the SERVICES file on each host node from which a client session will access the server. This file usually is located in the directory in which the TCP/IP software is installed. See Configuring the SERVICES File for information about editing the SERVICES file.
| Assigning the Appropriate Rights for Connecting Clients |
The account in which a connecting client runs must have the appropriate rights. To assign these rights
| Setting Security for Connecting Clients |
It is assumed that the client and the server both run Windows NT 4.0 or a subsequent release and are included in an NT domain. Also, it is assumed that the user was authenticated through the domain controller.
A client can use the same user context or a different user context when accessing a server. Users can establish user context by logging in to a server with their userids and passwords to access files that they have permission to access. However, users can also establish a different user context by accessing a server with someone else's userid and password. Supplying someone else's userid and password gives permission to access files that they may be otherwise denied access to. A system administrator's userid and password is an example of a different context. Such a context does not belong to the user but can be granted to the user for access to particular files.
In order for a local host to connect to a remote host in the same user context, do not establish security by means of the USER= and PASSWORD= options in applicable statements or the TCPSEC option. The Windows NT native authentication facility transmits the user's context to the remote host when the user makes a connection.
In order for a local host to access a remote host with a different context, you must set security.
Set security at the client using either of the methods explained in Setting Security for SAS/CONNECT and SAS/SHARE. For Version 8 security behavior, specify the USER= and PASSWORD= options in the appropriate statement. For details, see Providing Client Identification in a Version 8 Session.
For Version 7 security behavior, if you set the TCPSEC option at the client, either specify a userid and a password that are valid on the server or specify _PROMPT_ to supply the userid and password when connecting to a server. For information about setting the TCPSEC option, see Providing Client Identification in a pre-Version 8 Session.
For Windows NT only that runs Version 8, you may qualify username in the form Windows-NT-domain-name\username. Here is an example of how you might specify this information in the LIBNAME statement in SAS/SHARE:
libname test 'prog2 a' user=apex\bass.time2go server=share1;
Domain name
apex
identifies the location of the username and password database. Username
bass and password
time2go will be verified against those in the
identified domain's username and password database.
| Specifying the TCP/IP Communications Access Method |
Note: TCP/IP is the default communications
access method on the Windows platforms. You may omit specifying the access
method in a COMAMID statement and the TCP/IP access method is assumed, by
default.
If you specify the TCP/IP communications access method at each connecting client, before you access a server, use the following syntax:
OPTIONS COMAMID=access-method-id;
where COMAMID is an acronym for Communications Access Method Identification. access-method-id identifies the method used by the client to communicate with the server. TCP (short for TCP/IP, which is an abbreviation for Transmission Control Protocol/Internet Protocol) is an example of an access-method-id.
Example:
options comamid=tcp;
The server is accessed using the TCP/IP access method.
You may specify the COMAMID option in an OPTIONS statement, at a SAS invocation, or in a SAS configuration file.
Additionally, you may use the COMAUX1 and COMAUX2 options to designate auxiliary communications access methods. See SAS/CONNECT and SAS/SHARE: Supported Access Methods According to Host Release for the supported access methods by host. If the first method fails to access a server, the second method is attempted, and so on. You can specify up to two auxiliary access methods, depending on the number of methods that are supported between client and server hosts. access method-id is supported between client and server hosts.
COMAUX options can be specified only at a SAS invocation or in a SAS configuration file. The syntax for the COMAUX options follows:
-COMAUX1 alternate-method -COMAUX2 alternate-method
An example of configuration file entries for a Windows NT client connecting to an OS/390 server follows:
-comamid tcp -comaux1 appc
If the server cannot be reached using the TCP/IP method, a second attempt is made with the APPC access method.
Note: Additionally, a Windows 32s
client supports the CPIC access method.
| Specifying a Server Name |
If the client and server sessions are running on different network nodes, you must include the TCP/IP node in the server identifier in the LIBNAME and PROC OPERATE statements as follows:
SERVER=node.server
This representation is known as a two-level server name.
node must be a valid TCP/IP node name. If the server and the client sessions are running on the same node, you may omit the node name.
server can represent either a server-id or a port number.
libname mylib '.' server=srvnode._ _5000;
If the TCP/IP node name is not a valid SAS name, assign the name of the server node to a SAS macro variable, and use the name of that macro variable for node in the two-level server name.
The access method evaluates the node name in this order of precedence:
The following example shows how to use a SAS macro variable to relay a server node name:
%let srvnode=mktserver.acme.com; libname sales server=srvnode.server1;
Note: Do not use an ampersand
(&) in a two-level name. An ampersand would cause the macro variable to
be resolved by the SAS parser prior to syntactic evaluation of the SERVER=
option. The access method evaluates the node name in a two-level server name.
See SAS Language Reference: Concepts for details about SAS naming rules. See the SAS/SHARE User's Guide for details about the LIBNAME and PROC OPERATE statements.
| Client Example |
The following example illustrates the statements that you specify in a Windows NT client SAS session to connect in a different context to a server with the TCP/IP access method:
options comamid=tcp;
libname sasdata 'c:edc\prog2\sasdata' user=_prompt_
server=rmtnode.share1;
The LIBNAME statement specifies the data library that is accessed through the server, which is specified by the two-level server name RMTNODE.SHARE1, by means of a prompt for a username and a password that are valid on the server.
| Server Tasks |
Note: Server security is supported on
the Windows
NT platform only.
| Configuring the Server in the SERVICES File |
Each server must be defined as a service in the SERVICES file on each remote host node from which a client session will access the server. This file usually is located in the directory in which the TCP/IP product is installed. See Configuring the SERVICES File for information about editing the SERVICES file.
| Setting Server Security |
You may use file permissions to restrict a user's access to libraries and files through a server. A secured server allows connections only from those clients that provide valid userids and passwords for the host on which the server is running. A secured server uses a validated userid and password to verify a user's authority to access a SAS library or a file.
Requiring connecting clients to supply a valid userid and password enforces server security. From a server session, set the TCPSEC option to the value _SECURE_. See SAS/CONNECT and SAS/SHARE Options for more information about setting this option.
| Enforcing Server Userid and Password Encryption |
As a security measure, you may set the AUTHENCR option to enforce the encryption of userids and passwords when passed from the client to the server. See SAS/SHARE Only Options for details about setting the AUTHENCR option.
| Assigning the Appropriate Rights for a Secure Server |
The account in which a secure server runs must have the appropriate rights. To assign these rights
| Specifying the TCP/IP Access Method |
Note: TCP/IP is the default communications
access method on the Windows platforms. You may omit specifying the access
method in a COMAMID statement and the TCP/IP access method is assumed, by
default.
If you specify the TCP/IP communications access method before you can create and access a SAS/SHARE server, use the following syntax at the server:
OPTIONS COMAMID=access-method-id;
where COMAMID is an acronym for Communications Access Method Identification. access-method-id identifies the method used by the server to communicate with the client. TCP (short for TCP/IP, which is an abbreviation for Transmission Control Protocol/Internet Protocol) is an example of an access-method-id.
For a server that is running on a host on which only one communications access method is available, use only the COMAMID option.
Example:
options comamid=tcp;
The server will be available only to SAS/SHARE sessions that use the TCP/IP access method.
You may specify the COMAMID option in an OPTIONS statement, at a SAS invocation, or in a SAS configuration file.
However, if the host on which a server is running supports multiple access methods, you may specify up to two auxiliary access methods by which clients may access the server by using the COMAUX1 and COMAUX2 options. See SAS/CONNECT and SAS/SHARE: Supported Access Methods According to Host Release for the supported access methods by host.
All of the access methods initialize when the server initializes. The activation of multiple access methods makes a server available to several groups of clients, each using a different communications access method simultaneously.
COMAUX options can be specified only at a SAS invocation or in a SAS configuration file. The syntax for the COMAUX options follows:
-COMAUX1 alternate-method -COMAUX2 alternate-method
An example of configuration file entries for a server that is running on a Windows NT host follows:
-comamid tcp -comaux1 spx -comaux2 netbios
When the server starts, all of the communications access methods are initialized. The server is simultaneously available to client sessions that use the TCP/IP access method as well as to clients that use the SPX and NetBIOS access methods.
| Specifying a Server Name |
You must specify the server name in the PROC SERVER statement. Use the following syntax:
SERVER=server
server can represent either a server-id or a port number.
libname mylib '.' server=_ _5000;
See SAS Language Reference: Concepts for details about SAS naming rules. See the SAS/SHARE User's Guide for details about the PROC SERVER statement.
| Server Example |
The following example illustrates the statements that you specify in the server configuration file on a Windows NT host:
-set tcpsec _secure_ -set authencr required
The value _SECURE_ for the TCPSEC option specifies that clients supply a userid and a password that are valid on the server. The value REQUIRED for the AUTHENCR option specifies that only encrypted userids and passwords from clients are accepted.
The following example illustrates the statements that you specify in a SAS session on the Windows NT host at which you start a server:
options comamid=tcp; proc server id=share1; run;
The TCP/IP access method is declared and the server SHARE1 is started on the Windows NT host. The additional options in the PROC SERVER statement allow only validated clients to access the server.
|
Chapter Contents |
Previous |
Next |
 Top of Page |
Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.