Chapter Contents
Previous
Next
|
Chapter Contents |
Previous |
Next |
| Communications Access Methods for SAS/CONNECT and SAS/SHARE Software |
| Client Tasks |
Each server must be defined as a service in the SERVICES file on each host node from which a client session will access the server. This file usually is located in the directory in which the TCP/IP software is installed. See TCP/IP SERVICES File for information about editing the SERVICES file.
| Setting Security for Connecting Clients |
Requiring connecting clients to supply a valid userid and password enforces server security. At the client, set the preferred security method for relaying a userid and password that are valid on the server host. For details, see Setting Security for SAS/CONNECT and SAS/SHARE.
| Specifying the TCP/IP Communications Access Method |
You must specify the TCP/IP communications access method at the client before you access a server.
Use the following syntax to specify the TCP/IP access method at each connecting client:
OPTIONS COMAMID=access-method-id;
where COMAMID is an acronym for Communications Access Method Identification. access-method-id identifies the method that is used by the client to communicate with the server. TCP (short for TCP/IP, which is an abbreviation for Transmission Control Protocol/Internet Protocol), is an example of an access-method-id.
Example:
options comamid=tcp;
The server is accessed using the TCP/IP access method.
You may specify the COMAMID option in an OPTIONS statement, at a SAS invocation, or in a SAS configuration file.
Additionally, you may use the COMAUX1 option to designate an auxiliary communications access method. See SAS/CONNECT and SAS/SHARE: Supported Access Methods According to Host Release for the supported access methods by host. If the COMAMID method fails to access a server, the second method is attempted. You can specify only one auxiliary access method.
The COMAUX option can be specified only at a SAS invocation or in a SAS configuration file. The syntax for the COMAUX option follows:
-COMAUX1 alternate-method
An example of configuration file entries for an UNIX client connecting to an OS/390 server follows:
-comamid tcp -comaux1 appc
If the server cannot be reached using the TCP/IP access method, a second attempt is made with the APPC access method.
| Specifying a Server Name |
If the client and server sessions are running on different network nodes, you must include the TCP/IP node in the server identifier in the LIBNAME and PROC OPERATE statements as follows:
SERVER=node.server
This representation is known as a two-level server name.
node must be a valid TCP/IP node name. If the server and the client sessions are running on the same node, you may omit the node name.
server can represent either a server-id or a port number.
libname mylib '.' server=srvnode._ _5000;
If the TCP/IP node name is not a valid SAS name, assign the name of the server node to a SAS macro variable, then use the name of that macro variable for node in the two-level server name.
The access method evaluates the node name, in this order of precedence:
The following example shows how to use a SAS macro variable to relay a server node name:
%let srvnode=mktserver.acme.com; libname sales server=srvnode.server1;
Note: Do not use an ampersand
(&) in a two-level name. An ampersand causes the macro variable to be
resolved by the SAS parser prior to syntactic evaluation of the SERVER= option.
The access method evaluates the node name in a two-level server name. ![[cautionend]](../common/images/cautend.gif)
See SAS Language Reference: Dictionary for details about SAS naming rules. See SAS/SHARE User's Guide for details about the LIBNAME and PROC SERVER statements.
| Client Example |
The following example illustrates the statements that you specify in a UNIX client SAS session to access a server with the TCP/IP access method:
options comamid=tcp; libname sasdata 'edc/prog2/sasdata' user=_prompt_ server=rmtnode.share1;
The TCP/IP access method is declared. The LIBNAME statement specifies the data library that is accessed through the server, which is specified by the two-level server name RMTNODE.SHARE1, by means of a prompt for a username and a password that are valid on the server.
| Server Tasks |
/etc/services file.
!sasroot/utilities/bin/sasauth is owned by ROOT and that the "Set-user-id" bit is set
for the file (
chmod 4755 !sasroot/utilities/bin/sasauth).
!sasroot/utilities/bin/sasperm is owned by ROOT and that the "Set-user-id" mode bit is
set for the file (
chmod 4755 !sasroot/utilities/bin/sasperm).
Note: Optional tasks apply to setting up
server security.
| Configuring the Server in the /etc/services File |
Each server must be defined as a service in the
/etc/services file on each remote host node from which a client session
will access the server. A typical entry follows:
sassrv2 5011/tcp # SAS/SHARE server 2
See Configuring the SERVICES File for
information about editing the
/etc/services file.
| Setting Server Security |
You may use file permissions to restrict a user's access to libraries and files through a server. A secured server allows connections only from those clients that provide valid userids and passwords for the host on which the server is running. A secured server uses a validated userid and password pair to verify a user's authority to access a SAS library or a SAS file.
Requiring connecting clients to supply a valid userid and password enforces server security. From a server session, set the TCPSEC variable to the value _SECURE_. See Providing Client Identification in a pre-Version 8 Session for more information about setting this variable.
| Enforcing Server Userid and Password Encryption |
As a security measure, you may set the AUTHENCR option to enforce the encryption of userids and passwords when passed from the client to the server. See SAS/SHARE Only Option for details about setting AUTHENCR.
| Configuring User Authorization |
If SAS was installed from the root account, then it can be assumed that this task has already been performed. Otherwise, a root user must configure resources on the remote host on which a server runs in order to authenticate a remote user's identity and to check the user's authority to access resources.
Perform these tasks through the SAS Setup menu or by issuing the corresponding UNIX commands at a shell prompt:
From the root account, at the command line, initialize
!SASROOT/sassetup,
and from the SAS Setup Primary Menu, select:
Run setup Utilities -> Perform SAS System Configuration -> Configure User Authorization
where
!SASROOT is the directory where SAS was installed.
Alternatively, issue these UNIX commands at a shell prompt:
su root cd !SASROOT/utilities/bin chown root sasauth sasperm sastcpd objspawn chmod 4755 sasauth sasperm sastcpd objspawn exit
| Validating Client Userid and Password Pairs with the Authenticate Program |
Note: This feature applies to a server that is running
on a UNIX host only.
You may use a built-in authentication program named
sasauth, which is invoked automatically when
a client accesses a server that is running in secure mode. This program authenticates
userid and password pairs, which allow client access to the server.
To secure a server, the server administrator sets the TCPSEC environment variable to _SECURE_. See Providing Client Identification in a pre-Version 8 Session for information about TCPSEC.
Note: For Version 6, the
authenticate program is used to validate server userid and passwords.
See Authenticate Program
for details about using this program.
| Allowing Client Access to SAS Libraries or Files with the Permission Program |
Note: This feature applies to a server that is running
on a UNIX or a CMS host only.
When presented with a validated userid, the server uses a default program
named
sasperm to verify the following attributes:
The
sasperm program
determines whether the requesting user has access to the file or directory.
Note: For Version 6, the
permission program enables clients to access SAS libraries or files.
See Permission Program
for details about using this program.
| Specifying the TCP/IP Access Method |
You must specify the TCP/IP communications access method at the server before a client can access it.
Use the following syntax to specify the TCP/IP access method at the server:
OPTIONS COMAMID=access-method-id;
where COMAMID is an acronym for Communications Access Method Identification. access-method-id identifies the method that is used by the server to communicate with the client. TCP (short for TCP/IP, which is an abbreviation for Transmission Control Protocol/Internet Protocol) is an example of an access-method-id.
For a server that is running on a host on which only one communications access method is available, use only the COMAMID option.
Example:
options comamid=tcp;
The server will be available only to SAS/SHARE sessions that use the TCP/IP access method. You may specify the COMAMID option in an OPTIONS statement, on the SAS invocation, or in a SAS configuration file.
However, if the host on which a server is running supports multiple access methods, you may specify an auxiliary access method by which clients may access the server. See SAS/CONNECT and SAS/SHARE: Supported Access Methods According to Host Release for the supported access methods by host.
All of the access methods initialize when the server initializes. The activation of multiple access methods makes a server available to several groups of clients, each using a different communications access method simultaneously.
The COMAUX option can be specified only at a SAS invocation or in a SAS configuration file. The syntax for the COMAUX option follows:
-COMAUX1 alternate-method
An example of configuration file entries for a server that is running on a CMS host follows:
-comamid tcp -comaux1 appc
When the server starts, all of the communications access methods are initialized. The server is simultaneously available to client sessions that use the TCP/IP access method as well as to clients that use the APPC access method.
| Specifying a Server Name |
You must specify the server name in the PROC SERVER statement. Use the following syntax:
SERVER=server
server can represent either a server-id or a port number.
libname mylib '.' server=srvnode._ _5000;
The following example shows how to use a SAS macro variable to relay a server node name:
%let srvnode=mktserver.acme.com; libname sales server=server1;
See SAS Language Reference: Dictionary for details about SAS naming rules. See the SAS/SHARE User's Guide for details about the PROC SERVER statement.
| Server Example |
The following example illustrates the statements that you specify in the server configuration file on a UNIX host:
-set tcpsec _secure_ -set authencr required
The value _SECURE_ for the TCPSEC variable requires clients to supply a userid and password that are valid on the server. The value REQUIRED for AUTHENCR allows only encrypted userids and passwords from clients.
The following example illustrates the statements that you specify in a SAS session on the UNIX host at which you start a server:
options comamid=tcp; proc server id=share1 authenticate=req; run;
The TCP/IP access method is declared and the server SHARE1 is started on the UNIX host. The additional options in the PROC SERVER statement allow only validated clients to access the server.
|
Chapter Contents |
Previous |
Next |
 Top of Page |
Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.