SAS 9.4 Intelligence Platform: Middle-Tier

SAS 9.4 Intelligence Platform: Middle-Tier
SAS 9.4 Intelligence
Platform
®
Middle-Tier Administration Guide
SAS® Documentation
The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2013. SAS® 9.4 Intelligence Platform:
Middle-Tier Administration Guide. Cary, NC: SAS Institute Inc.
SAS® 9.4 Intelligence Platform: Middle-Tier Administration Guide
Copyright © 2013, SAS Institute Inc., Cary, NC, USA
All rights reserved. Produced in the United States of America.
For a hard-copy book: No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means, electronic, mechanical, photocopying, or otherwise, without the prior written permission of the
publisher, SAS Institute Inc.
For a web download or e-book: Your use of this publication shall be governed by the terms established by the vendor at
the time you acquire this publication.
The scanning, uploading, and distribution of this book via the Internet or any other means without the permission of the
publisher is illegal and punishable by law. Please purchase only authorized electronic editions and do not participate in or
encourage electronic piracy of copyrighted materials. Your support of others' rights is appreciated.
U.S. Government Restricted Rights Notice: Use, duplication, or disclosure of this software and related documentation by
the U.S. government is subject to the Agreement with SAS Institute and the restrictions set forth in FAR 52.227-19,
Commercial Computer Software-Restricted Rights (June 1987).
SAS Institute Inc., SAS Campus Drive, Cary, North Carolina 27513.
July 2013
SAS provides a complete selection of books and electronic products to help customers use SAS® software to its fullest
potential. For more information about our e-books, e-learning products, CDs, and hard-copy books, visit support.sas.com/
bookstore or call 1-800-727-3228.
SAS® and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute
Inc. in the USA and other countries. ® indicates USA registration.
Other brand and product names are registered trademarks or trademarks of their respective companies.
Contents
What's New in Middle-Tier Administration for the SAS 9.4 Intelligence
Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Recommended Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
PART 1
Middle-Tier Overview
1
Chapter 1 / Working in the Middle-Tier Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding the Middle-Tier Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Middle-Tier Software Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
SAS Web Infrastructure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Starting the Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 2 / Interacting with the Server Tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuration Shared between the Middle Tier and the Server Tier . 21
SMTP Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
SAS Web Infrastructure Platform Data Server . . . . . . . . . . . . . . . . . . . . . . . . . 23
JDBC Data Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Job Execution Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
PART 2
Middle-Tier Components
35
Chapter 3 / Administering SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
About SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installing SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Understanding the SAS Web Server Configuration . . . . . . . . . . . . . . . . . . . . 40
iv Contents
Understanding SAS Web Server Management . . . . . . . . . . . . . . . . . . . . . . . . 41
Monitoring SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 4 / Administering SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
About SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Installing SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Understanding the SAS Web Application Server Configuration . . . . . . 48
Deploying Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Understanding SAS Web Application Server Management . . . . . . . . . . 50
Monitoring SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 5 / Administering Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
About the Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Installing Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Understanding the Cache Locator Configuration . . . . . . . . . . . . . . . . . . . . . . 54
Setting the Bind Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 6 / Administering JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
About JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Installing JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Understanding the JMS Broker Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Monitoring JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
PART 3
Middle-Tier Applications
59
Chapter 7 / Administering the SAS Web Infrastructure Platform . . . . . . . . . . . . . . . . . . . 61
About SAS Web Infrastructure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Using Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Setting Global Properties for SAS Applications . . . . . . . . . . . . . . . . . . . . . . . . 69
Specifying Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring Auditing for SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . 80
Using the SAS Web Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Chapter 8 / Administering SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Contents
v
About SAS Deployment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Rebuilding the SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Redeploying the SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Reconfiguring the Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Administering Logging for SAS Web Applications . . . . . . . . . . . . . . . . . . . . 111
Chapter 9 / Administering SAS Logon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
About SAS Logon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Customizing Log On, Log Off, and Time Out Messages . . . . . . . . . . . . 120
Displaying a Warning Message for Inactive User Sessions . . . . . . . . . 122
Configuring the HTTP Session Time-out Interval . . . . . . . . . . . . . . . . . . . . . 124
Configuring the Global Single Sign-On Time-out Interval . . . . . . . . . . . 129
Configuring Middle Tier Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Disabling Concurrent Logon Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Chapter 10 / Administering the SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
About the SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
SAS Content Server Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Moving Content or Backing Up the SAS Content Server . . . . . . . . . . . . 137
Deploying Content Manually to the SAS Content Server . . . . . . . . . . . . 138
Using the SAS Content Server Administration Console . . . . . . . . . . . . . 144
Implementing Authorization for the SAS Content Server . . . . . . . . . . . . 151
Manual Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 11 / Administering the SAS BI Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of SAS BI Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Generated Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SAS BI Web Services for Java . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of Security for Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Securing SAS BI Web Services for Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
159
159
160
161
166
167
Chapter 12 / Administering SAS Web Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . 171
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Steps for Defining and Deploying a New Theme . . . . . . . . . . . . . . . . . . . . . 175
Deleting a Custom Theme from the Metadata . . . . . . . . . . . . . . . . . . . . . . . . 189
Migrating Custom Themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
vi Contents
Chapter 13 / Administering SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . 199
Introduction to SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . 199
Benefits of SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Location of SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
PART 4
Advanced Topics
201
Chapter 14 / Best Practices for Configuring Your Middle Tier . . . . . . . . . . . . . . . . . . . . . 203
Sample Middle-Tier Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Adding a Vertical Cluster Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Adding a Horizontal Cluster Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Tuning the Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring HTTP Sessions in Environments with
Proxy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter 15 / High-Availability Features in the Middle Tier . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Overview of High-Availability Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
SAS Environment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
SAS Web Infrastructure Platform Data Server . . . . . . . . . . . . . . . . . . . . . . . . 229
Chapter 16 / Enterprise Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Configuring the Middle Tier to Use an Existing
Customer Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Support for IBM Tivoli Access Manager WebSEAL . . . . . . . . . . . . . . . . . . 244
Support for CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Support for Integrated Windows Authentication . . . . . . . . . . . . . . . . . . . . . . 259
Chapter 17 / Middle-Tier Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Contents
Using the SAS Anonymous Web User with SAS Authentication . . .
Configuring SAS Web Server Manually for HTTPS . . . . . . . . . . . . . . . . . .
Configuring SAS Web Application Server to Use HTTPS . . . . . . . . . . .
FIPS 140-2 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PART 5
Tools and Utilities
vii
269
270
273
275
279
Chapter 18 / Using the SAS Web Infrastructure Platform Utilities . . . . . . . . . . . . . . . . 281
Using the DAVTree Utility to Manage WebDAV Content . . . . . . . . . . . . 282
Using the Package Cleanup Utility to Remove Packages . . . . . . . . . . . 286
Using JMX Tools to Manage SAS Resources . . . . . . . . . . . . . . . . . . . . . . . . 293
Chapter 19 / SAS Configuration Scripting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Special Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Scripting Tool for SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . 302
PART 6
Appendices
321
Appendix 1 / Configuring the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
About the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configuring the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Appendix 2 / Administering Multicast Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Overview of Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
How Much Multicast Network Traffic is Generated? . . . . . . . . . . . . . . . . . 329
Multicast Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configuring Multicast Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Configuring a Multicast Authentication Token . . . . . . . . . . . . . . . . . . . . . . . . . 333
Configuring the JGroups Bind Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
viii Contents
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
ix
Whatʼs New
What's New in Middle-Tier
Administration for the SAS 9.4
Intelligence Platform
Overview
The SAS 9.4 middle-tier software has the following changes and enhancements:
n
SAS Web Server and SAS Web Application Server
n
Enhancements to support SAS Web Application Server clustering
n
SAS Environment Manager
n
SAS Web Infrastructure Platform Data Server
n
Enhancements to SAS Logon Manager
n
Enhancements for SAS Content Server
n
Support for web application archive files
x Middle-Tier Administration
SAS Web Server and SAS Web
Application Server
The SAS 9.4 middle-tier software includes SAS Web Server for use as an HTTP server
and SAS Web Application Server. SAS Web Application Server is a lightweight server
that provides enterprise-class features for running SAS web applications. Both products
can be installed and configured automatically with the SAS Deployment Wizard.
Enhancements to Support SAS Web
Application Server Clustering
The SAS Deployment Wizard has been enhanced to simplify clustering SAS Web
Application Server. In previous releases, the following steps required manual
configuration, but are performed automatically in this release:
n
install a Java environment and web application server software
n
create repository configuration files for each instance of SAS Content Server
n
configure a load-balancing HTTP server
With the enhancements, you can easily configure vertical cluster members (additional
server instances on the same machine) and horizontal cluster members (install and
configure servers on additional machines).
Combining vertical and horizontal clustering is also supported and can be configured
easily.
Enhancements to SAS Logon Manager
xi
SAS Environment Manager
SAS Environment Manager provides a number of systems and application management
features for managing the SAS servers in your deployment. An agent is installed on
each machine in the deployment. The agent collects metrics from the server processes
and operating system running on the machine and sends them to the SAS Environment
Manager server.
Both the agents and the server can be installed and configured automatically with the
SAS Deployment Wizard.
SAS Web Infrastructure Platform Data
Server
SAS Web Infrastructure Platform Data Server replaces the SAS Framework Data
Server that was used in SAS 9.3. The data server provides a transactional store for
SAS middle-tier software.
The server can be installed and configured automatically with the SAS Deployment
Wizard. The server is based on PostgreSQL 9.1.9. SAS configures a single server
instance and SAS Web Application Server instances are configured with JDBC data
sources that access the server. SAS Environment Manager also stores transactional
information in the server.
Enhancements to SAS Logon Manager
In previous releases, the SAS Logon Manager enabled administrators to deny
concurrent logons. In this release, this feature is enhanced to offer the ability to log off
xii Middle-Tier Administration
the existing session. This setting enables users can access to the applications that they
need and administrators are assured that only one session is active at a time.
For SAS 9.4, SAS Logon Manager uses the Central Authentication Service (CAS) that
is available from Jasig. This change enables single sign-on so that users to access
multiple SAS web applications seemlessly.
Enhancements for SAS Content Server
SAS Content Server is a web application that provides WebDAV features for your SAS
deployment. The SAS 9.4 release includes an update for SAS Content Server to
provide JCR 2.0 features.
By default, the SAS Content Server is also enhanced to use the SAS Web Infrastructure
Platform Data Server for storage. In previous releases, this was an option during the
installation process. Using the database for storage simplifies using SAS Content
Server in a web application server cluster because there is no longer any need for
repository reconfiguration.
Support for Web Application Archive
Files
In previous SAS releases, the SAS web applications were managed and deployed as
enterprise web application archive (EAR) files. For the SAS 9.4 release, the web
applications are managed as EAR files, but they are deployed as web application
archive (WAR) files.
xiii
Recommended Reading
n
SAS Intelligence Platform: Overview
n
SAS Intelligence Platform: System Administration Guide
n
SAS Intelligence Platform: Security Administration Guide
n
SAS Management Console: Guide to Users and Permissions
n
SAS Integration Technologies: Overview
n
SAS offers instructor-led training and self-paced e-learning courses to help you
administer the SAS Intelligence Platform. For more information about the courses
available, see support.sas.com/admintraining.
For a complete list of SAS books, go to support.sas.com/bookstore. If
you have questions about which titles you need, please contact a SAS
Book Sales Representative:
SAS Books
SAS Campus Drive
Cary, NC 27513-2414
Phone: 1-800-727-3228
Fax: 1-919-677-8166
E-mail: sasbook@sas.com
Web address: support.sas.com/bookstore
xiv Recommended Reading
1
Part 1
Middle-Tier Overview
Chapter 1
Working in the Middle-Tier Environment . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2
Interacting with the Server Tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2
3
1
Working in the Middle-Tier
Environment
Understanding the Middle-Tier Environment . . . . . . . . . . . . . . . . . . . . . . . . . 4
Middle-Tier Software Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Java Runtime Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SAS Environment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SAS Web Infrastructure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Services and Applications in the SAS Web
Infrastructure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SAS Foundation Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
SAS Web Infrastructure Platform Services . . . . . . . . . . . . . . . . . . . . . . . . . 14
SAS Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SAS Web Report Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SAS Information Delivery Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SAS BI Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SAS BI Portlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
SAS Help Viewer for the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4 Chapter 1 / Working in the Middle-Tier Environment
Starting the Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Understanding the Middle-Tier
Environment
The middle tier of the SAS Intelligence Platform enables users to access intelligence
data and functionality with a web browser. This tier provides web-based interfaces for
report creation and information distribution, while passing analysis and processing
requests to the SAS servers.
The middle tier of the SAS Intelligence Platform provides an environment for running
applications such as SAS Web Report Studio and SAS Information Delivery Portal.
These applications run in a web application server and have a graphical user interface
that users navigate with a web browser. These applications rely on servers on the SAS
server tier to perform SAS processing, including data query and analysis.
Understanding the Middle-Tier Environment
The following figure shows how the middle tier interacts with the other tiers of the SAS
Intelligence Platform. For a description of these components, see SAS Intelligence
Platform: Overview.
Figure 1.1
Architecture of the SAS Intelligence Platform
Data Sources
SAS Servers
SAS Data Sets
SAS Metadata Server
SAS OLAP Cubes
SAS Workspace
Server
Middle Tier
Clients
SAS Web Server
Desktop clients:
SAS Scalable
Perf ormance Data
(SPD) Engine Tables
SAS Poo led
Workspace Server
SAS Scalable
Performance
Data (SPD) Server
SAS OLAP Server
SAS Web
Infrastructure Plantform
Data Server
Third-party
Data Stores
• SAS Add-In for Microsoft Office
SAS Web App lication
Server
• SAS Data Integration Studio
• SAS Enterprise Guide
• SAS Enterprise Miner
SAS Web Inf rastructure
Platf orm
SAS
Content
Server
Other
infrastructure
appli cations
and services
• SAS Forecast Studio
HTTP
• SAS Information Map Studio
• SAS Manage ment Console
• SAS Model Manager
• SAS OLAP Cube Studio
• SAS Workflow Studio
• JMP
• Other SAS anal ytics and
solutions
• SAS Web Report Studio
SAS Stored
Process Server
• SAS Information
Deli very Portal
• SAS BI Portlets
Running SAS processes f or
distributed clients
Enterprise Resource
Planning (ERP) Systems
• SAS BI Dashboa rd
• SAS Help Viewe r for the
Web
• Other SAS Web
applications and solutions
HTTP
HTTP
SAS Environment Manager
Web browser (to
surf ace Web
app lications)
Mobile devices (to
view some types
of reports)
The middle tier includes the following software elements:
n
SAS Web Server and SAS Web Application Server
n
a Java Runtime Environment (JRE)
n
SAS web applications, which can include SAS Web Report Studio, the SAS
Information Delivery Portal, the SAS BI Dashboard, and other SAS products and
solutions
n
the SAS Web Infrastructure Platform, which includes the SAS Content Server and
other infrastructure applications and services
n
the JMS Broker, which is used to provide distributed communication with Java
Messaging Services. Some SAS web applications use queues and topics for
business logic.
5
6 Chapter 1 / Working in the Middle-Tier Environment
n
the Cache Locator, which is used by SAS web applications to locate and connect to
a distributed cache. The SAS web applications use the cache to maintain awareness
of user sessions and to share application data.
n
SAS Environment Manager, which is used to monitor and manage the server tier
and middle tier of the SAS deployment.
The SAS Intelligence Platform architecture provides the flexibility to distribute these
components according to your organization's requirements. For small implementations,
the middle-tier software, SAS Metadata Server, and other SAS servers, such as the
SAS Workspace Server and SAS Stored Process Server, can all run on the same
machine. In contrast, a large enterprise might have multiple servers and a metadata
repository that are distributed across multiple platforms. The middle tier in such an
enterprise might distribute the web applications to many web application server
instances on multiple machines.
Middle-Tier Software Components
The following figure illustrates the middle-tier components:
Figure 1.2 Middle-Tier Components
SAS Web Application Server
SAS Web
Report Studio
SAS
Information
Delivery Portal
SAS BI
Portlets
SAS BI
Dashboard
SAS Help
Viewer for
the Web
Other SAS
web applications
and solutions
SAS Web Infrastructure Platform
SAS BI
Web Services
SAS Shared
Web Assets
SAS Web
Infrastructure
Services
SAS Logon
Manager
SAS Preferences
Manager
SAS Workflow
Engine
SAS Comment
Manager
SAS Stored
Process Web
Application
SAS Web
Administration
Console
SAS Content
Server
SAS
Authorization
Services
SAS Deployment
Backup and
Recovery Tool
SAS Identity
Services
SAS Principal
Services
SAS Notification
Template
Manager
SAS Web
Infrastructure Platform
Permission Manager
SAS Web Server
SAS Environment
Manager
Middle-Tier Software Components
SAS Web Server
SAS Web Server is included with SAS 9.4 software. It is an HTTP server that is
configured as a single connection point for SAS web applications. When the SAS
middle tier is clustered, SAS Web Server is automatically configured to perform load
balancing.
7
8 Chapter 1 / Working in the Middle-Tier Environment
HTTPS is also supported and can be configured during initial installation and
configuration of SAS Web Server. Alternatively, SAS Web Server can be reconfigured
after the initial deployment to support HTTPS.
SAS Web Application Server
SAS Web Application Server is provided with SAS 9.4 software. It provides the
execution environment for the SAS web applications. The SAS Deployment Wizard can
automatically configure the web application server, or you can configure it manually.
The following applications and services run in the web application server environment:
n
applications and services that are part of the SAS Web Infrastructure Platform
n
the SAS Web Report Studio, SAS Information Delivery Portal, SAS BI Dashboard,
and SAS Help Viewer for the Web applications
Depending on which products and solutions you have purchased, your site might have
additional web applications.
Java Runtime Environment
The SAS middle-tier environment includes a Java Runtime Environment that is included
with SAS 9.4 software. You do not need to install a separate Java environment for the
middle-tier environment.
JMS Broker
A JMS Broker instance is configured as a server on the machine that is used for the
SAS middle tier. This software fully implements the Java Message Service 1.1
specification and acts as a message broker. It provides advanced features such as
clustering, multiple message stores, and the ability to use file systems, and databases
as a JMS persistence provider.
SAS Web Infrastructure Platform 9
Cache Locator
SAS Web Application Server uses the distributed data cache that is available with
VMware vFabric GemFire. SAS uses the cache as a peer-to-peer cache. In order for the
instances of SAS Web Application Server to join as members of the cache, the Cache
Locator is used. The locator provides the mechanism for peer discovery. The locator is
used by instances of SAS Web Application Server and the SAS Web Infrastructure
Platform Scheduling Services.
SAS Environment Manager
The SAS middle-tier environment includes SAS Environment Manager. This software
includes an agent process that is installed on each server-tier and middle-tier machine
in the deployment. Each agent gathers performance metrics and transfers the data to a
server process that runs on a middle-tier machine. The server process includes a web
application server that provides a web-based administrative interface.. Administrators
use a web browser to monitor and manage numerous components in the SAS
environment.
SAS Web Infrastructure Platform
The SAS Web Infrastructure Platform is a collection of services and applications that
provide common infrastructure and integration features for the SAS web applications.
Services and Applications in the SAS Web
Infrastructure Platform
Services and applications in the Web Infrastructure Platform provide the following
benefits:
n
consistent installation, configuration, and administration tasks for web applications
n
consistent user interactions with web applications, such as logon
n
integration among web applications as a result of sharing common resources
10 Chapter 1 / Working in the Middle-Tier Environment
The following services and applications are included in the SAS Web Infrastructure
Platform:
Table 1.1
Services and Applications in the SAS Web Infrastructure Platform
Application or Service
Features
SAS Authorization Service
This service is used by some SAS web applications that
manage authorization through web services.
SAS BI Web Services for Java
Can be used to enable your custom applications to invoke
and obtain metadata about SAS Stored Processes. Web
services enable distributed applications that are written in
different programming languages and that run on different
operating systems to communicate using standard webbased protocols. Simple Object Access Protocol (SOAP) is
a common protocol. SAS includes support for JSON and
REST as well.
The SAS BI Web Services for Java interface is based on the
XML For Analysis (XMLA) Version 1.1 specification.
SAS Content Server
Stores digital content (such as documents, reports, and
images) that can be created and used by the SAS web
applications.
SAS Deployment Backup and
Recovery Tool
Enables deployment-wide backup and recovery services.
For more information, see SAS Intelligence Platform:
System Administration Guide.
SAS Identity Services
Provides SAS web applications with access to user identity
information.
SAS Logon Manager
Provides a common user authentication mechanism for SAS
web applications. It displays a dialog box for user ID and
password entry, authenticates the user, and launches the
requested application. SAS Logon Manager supports a
single sign-on authentication model. When this model is
enabled, it provides access to a variety of computing
resources (including servers and web pages) during the
application session without repeatedly prompting the user
for credentials.
You can configure SAS Logon Manager to display custom
messages and to specify whether a logon dialog box is
displayed when users log off.
SAS Web Infrastructure Platform 11
Application or Service
Features
SAS Preferences Manager
Provides a common mechanism for managing preferences
for SAS web applications. The application enables
administrators to set default preferences for locale, theme,
alert notification, time, date, and currency. In the SAS
Information Delivery Portal, users can view the default
settings and update their individual preferences.
SAS Principal Services
Enables access to core platform web services for SAS
applications.
SAS Shared Web Assets
Contains graph applet JAR files that are shared across SAS
web applications. They display graphs in stored processes
and in the SAS Stored Process Web Application.
SAS Stored Process Web
Application
Provides a mechanism for web clients to run SAS Stored
Processes and return the results to a web browser. The
SAS Stored Process Web Application is similar to the
SAS/IntrNet Application Broker, and has similar syntax and
debug options. Web applications can be implemented using
the SAS Stored Process Web Application, the Stored
Process Service API, or a combination of both. Here is how
the SAS Stored Process Web Application processes a
request:
SAS Notification Template
Editor
1
A user enters information in an HTML form using a web
browser and then submits it. The information is sent to a
web server, which invokes the first component, the SAS
Stored Process Web Application.
2
The Stored Process Web Application accepts data from
the web server, and contacts the SAS Metadata Server
for retrieval of stored process information.
3
The stored process data is then sent by the Stored
Process Web Application to a stored process server via
the object spawner.
4
The stored process server invokes a SAS program that
processes the information.
5
The results of the SAS program are sent back through
the web application and web server to the web browser.
Enables administrators to create and edit messages that are
sent as notifications to end users of SAS applications.
12 Chapter 1 / Working in the Middle-Tier Environment
Application or Service
Features
SAS Web Administration
Console
Provides features for monitoring and administering middletier components. This browser-based interface enables
administrators to perform the following tasks:
n Monitor users who are logged on to SAS web
applications, and send e-mail to them.
n View user-level audit information such as the number of
users, successful logons, unsuccessful logons, and find
the time of a user’s last logon.
n Manage permissions for folders and documents that are
managed by SAS Content Services.
n Manage templates and letterheads that are used as part
of messages that are sent as notifications to end users of
SAS applications.
n View configuration information for each middle-tier
component.
SAS Web Infrastructure
Platform Permission Manager
Enables administrators to set web-layer permissions on
folders and documents for SAS applications that use SAS
Content Services for access to digital content. You can
access the permissions manager with the SAS Web
Administration Console.
SAS Web Infrastructure
Platform Services
Provides a common infrastructure for SAS web applications.
The infrastructure supports activities such as auditing,
authentication, configuration, status and monitoring, e-mail,
theme management, and data sharing across SAS web
applications.
SAS Workflow
Provides the web services that implement workflow
management. The SAS Workflow services are used by SAS
applications and solutions for tightly integrated workflow
management.
In the middle tier, the SAS Web Infrastructure Platform plays a critical role with a
collection of middle-tier services and applications that provide basic integration services.
In the web application server, two sets of services are available to all SAS web
applications:
n
SAS Foundation Services
SAS Web Infrastructure Platform 13
n
SAS Web Infrastructure Platform Services
SAS Foundation Services
The SAS Foundation Services is a set of core infrastructure services that enables Java
programmers to write distributed applications that are integrated with the SAS platform.
This suite of Java application programming interfaces provides core middleware
infrastructure services. These services include the following:
n
client connections to SAS Application Servers
n
dynamic service discovery
n
user authentication
n
profile management
n
session management
n
activity logging
n
metadata and content repository access
n
connection management
n
WebDAV service
Extension services for information publishing, event management, and SAS Stored
Process execution are also provided. All of the SAS web applications that are described
in this document use the SAS Java Platform Services. If you have correctly installed
and configured the web applications, the platform services are defined in your SAS
metadata repository.
You can verify this metadata in the SAS Management Console. Depending on the web
applications that were installed, the SAS Portal Local Services (used by the SAS
Information Delivery Portal) are displayed in the SAS Management Console.
In addition, other applications and portlets might have deployment of their own local
services.
14 Chapter 1 / Working in the Middle-Tier Environment
SAS Web Infrastructure Platform Services
The SAS Web Infrastructure Platform Services provide common infrastructure and
integration features that can be shared by any SAS application. Here is a description of
the features:
n
Audit provides a single, common auditing capability.
n
Authentication is a common method for authenticating middle-tier applications. A
corresponding web service provides connectivity based on WS security standards
for web service clients.
n
Configuration is a standard way to define, store, and retrieve configuration
information for SAS applications.
n
Directives provide application integration so that SAS applications can share
intelligence and data. Applications can link to one another without requiring specific
information about a particular deployment location.
n
Mail is a single, common mechanism for Simple Mail Transfer Protocol (SMTP)based mail.
n
Status and monitoring is a collective set of services providing information about the
configured or functioning system.
n
Comment service enables users to add comments, with or without an attachment.
This feature enables the capture of human intelligence and supports collaborative
decision making related to business data.
n
Alerts service enables users to register to receive time-sensitive, action-oriented
messages when a specified combination of events and conditions occurs. Alerts can
be sent to the user's e-mail address or displayed in the SAS Information Delivery
Portal.
n
Themes provide access to theme definitions for presentation assets used in web
applications.
n
SAS Workflow Services enable applications to interact with business processes that
run in the SAS Workflow Engine.
SAS Content Server
n
15
Registry provides access to services for desktop clients; a client needs to know only
a single endpoint to determine other required locations.
SAS Workflow
SAS Workflow provides services that work together to model, automate, integrate, and
streamline business processes. It provides a platform for more efficient and productive
business solutions. SAS Workflow is used by SAS solutions that benefit from business
process management.
SAS Workflow Studio is a desktop client application that is used to design and deploy
workflows. The SAS middle tier hosts the workflow engine and the workflow services.
SAS Content Server
The SAS Content Server is part of the SAS Web Infrastructure Platform. This server
stores digital content (such as documents, reports, and images) that is created and
used by SAS web applications. For example, the SAS Content Server stores report
definitions that are created by users of SAS Web Report Studio, as well as images and
other elements that are used in reports. A process called content mapping ensures that
report content is stored using the same folder names, folder hierarchy, and permissions
that the SAS Metadata Server uses to store corresponding report metadata.
In addition, the SAS Content Server stores documents and other files that are to be
displayed in the SAS Information Delivery Portal or in SAS solutions.
To interact with the SAS Content Server, client applications use Web Distributed
Authoring and Versioning (WebDAV) based protocols for access, versioning,
collaboration, security, and searching. Administrative users can use the browser-based
SAS Web Administration Console to create, delete, and manage permissions for folders
on the SAS Content Server. Administrative users can also search the SAS Content
Server by using industry-standard query syntax, including XML Path Language (XPath)
and DAV Searching and Locating (DASL).
16 Chapter 1 / Working in the Middle-Tier Environment
SAS Web Applications
The SAS web applications described in this section have user interfaces that are used
by people other than administrators. These applications require a web browser on each
client machine and run in an instance of SAS Web Application Server that is installed on
a middle-tier machine. These applications communicate with the user by sending data
to and receiving data from the user's web browser. For example, these applications
display a user interface by sending HTML that includes HTML forms, Java Applets, or
Adobe Flash content. The user can interact and submit input to the application by
sending an HTTP response, usually by clicking a link or submitting an HTML form.
SAS Web Report Studio
SAS Web Report Studio is a web application that anyone can use to view, interact with,
create, and distribute public and private reports. Reports can be scheduled to run
unattended on a recurring basis and then distributed using e-mail. SAS Web Report
Studio requires the SAS BI Report Services (which includes the report output
generation tool) and the SAS BI Report Services Configuration (which creates libraries
used by the SAS Web Report Studio).
SAS Information Delivery Portal
The SAS Information Delivery Portal is a web application that enables you to aggregate
data from a variety of sources and present the data in a web browser. The web browser
content might include the output of SAS Stored Processes, links to web addresses,
documents, syndicated content from information providers, SAS Information Maps, SAS
reports, and web applications. The portal also provides a secure environment for
sharing information with users.
Using the portal, you can distribute different types of content and applications as
appropriate to internal users, external customers, vendors, and partners. You can use
the portal along with the Publishing Framework to perform the following tasks:
n
Publish content to SAS publication channels or WebDAV repositories
SAS Web Applications
n
Subscribe to publication channels
n
View packages published to channels
17
The portal's personalization features enable users to organize information about their
desktops in a way that makes sense to them.
For more information, see the SAS Information Delivery Portal Help, which is available
from within the product.
SAS BI Dashboard
SAS BI Dashboard enables users to create, maintain, and view dashboards to monitor
key performance indicators that convey how well an organization is performing. SAS BI
Dashboard includes an easy-to-use, drag and drop interface for creating dashboards
that include graphics, text, colors, and hyperlinks. The application leverages Flash in the
Rich Internet Application (RIA) architecture.
The Dashboard Viewer enables users to:
n
Interact with data through interactive highlighting
n
Quickly get to a subset of data through prompts and filters
Dashboards can link to:
n
SAS reports and analytical results
n
Scorecards and objects associated with solutions such as SAS Strategy
Management
n
Stored Processes
n
Indicators
n
Virtually any item that is addressable by a Uniform Resource Identifier (URI)
With the ability to save favorite dashboards and add comments, users can collaborate
and easily access dashboards with customized information. All content is displayed in a
role-based, secure, customizable, and extensible environment.
18 Chapter 1 / Working in the Middle-Tier Environment
SAS BI Portlets
The SAS BI Portlets are based on JSR 168 and are available with SAS Enterprise
Business Intelligence Server. These portlets are seamlessly integrated into the SAS
Information Delivery Portal. SAS BI Portlets enable users to access, view, or work with
content items that reside in either the SAS Metadata Server or the SAS Content Server.
SAS Help Viewer for the Web
Your installation can include the SAS Help Viewer for the Web. This application enables
users to view and navigate SAS online Help in the various SAS web applications. This
application combines the Help viewer with the Help content for various SAS web
applications and creates a WAR file that is deployed on the web application server.
Users access the Help contents for each application through the Help menu that is
provided with each SAS web application.
The application also provides an administrative interface that is used to view the status
of the documentation products. Administrators can use this interface to determine
whether the documentation products were installed correctly, or whether there was a
configuration problem. The administration interface is available from http://
hostname.example.com/SASWebDoc.
Starting the Web Applications
To start the web applications, follow these steps:
1 Start the SAS servers and services in the correct order. For more information about
the sequence, see “Overview of Server Operation” in SAS Intelligence Platform:
System Administration Guide.
2 Start a browser session and point the browser to the web application that you want
to access. For the correct URL, see the Instructions.html document, which
resides in the Documents subdirectory of your configuration directory. The exact URL
Starting the Web Applications
varies depending on the host name and port number that was defined for your
environment.
19
20 Chapter 1 / Working in the Middle-Tier Environment
21
2
Interacting with the Server Tier
Configuration Shared between the Middle Tier
and the Server Tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SMTP Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
SAS Web Infrastructure Platform Data Server . . . . . . . . . . . . . . . . . . . . . . 23
About the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installation Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
JDBC Data Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
About the Data Sources Used by the Middle Tier . . . . . . . . . . . . . . . . . . 26
Connection Information for the JDBC Data Source . . . . . . . . . . . . . . . . 27
Job Execution Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuration Shared between the
Middle Tier and the Server Tier
The web applications and services that form the SAS middle tier require specific
connections to servers that are associated with the server tier. You might want to modify
the connections and settings in the following ways:
n
Change the connection to an SMTP mail server.
22 Chapter 2 / Interacting with the Server Tier
n
Understand the use of the SAS Web Infrastructure Platform Data Server.
n
Modify the JDBC data source that provides a connection to a relational database.
n
Modify the Job Execution Services settings.
SMTP Mail Server
The SAS Web Infrastructure Platform includes a SAS Mail Service that is used by SAS
web applications and services to send e-mail messages such as alert notifications and
administrative status updates. The SAS Mail Service relies on a Java Mail Session that
is defined in SAS Web Application Server. The Java Mail Session provides the single
point of configuration to an external SMTP mail server that your site designates to use
for application e-mail. Because the SAS Mail Service relies on this single configuration
location, if the SMTP mail server changes, you can modify the appropriate settings in a
single place.
The Java Mail Session depends on configuration information that defines the mail
transport capabilities. The SAS Mail Service requires that the following minimum set of
mail properties be specified:
mail.transport.protocol
This property must be set to smtp.
mail.smtp.host
This property must be set to the host name of the SMTP mail server.
mail.smtp.port
This property must be set to the corresponding port (typically 25 for SMTP servers).
mail.debug
This property is set to false. You can set the value to true for assistance with
debugging mail transactions.
In a standard installation of SAS middle-tier components, the configuration of the Java
Mail Session is typically automated using prompted values that are provided by the
installer. To modify the settings for the Java Mail Session (for example, if the host name
SAS Web Infrastructure Platform Data Server
23
of the SMTP mail server changes), edit the SAS-config-dir\Levn\Web
\WebAppServer\SASServer1_1\conf\server.xml file. If you have more than one
server instance, edit the server.xml file for each server. Change the following line:
<Resource auth="Container"
mail.smtp.host="smtp.example.com"
mail.smtp.port="25"
name="sas/mail/Session"
type="javax.mail.Session"/>
If the mail server information, such as host name or port number, is changed, then it
must be changed in SAS metadata as well. To set the new values, follow these steps:
1 Log on to SAS Management Console and select Application Management 
Configuration Manager.
2 Right-click SAS Application Infrastructure and select Properties.
3 Click Advanced, and then set the new values for Email.Host or Email.Port.
SAS Web Infrastructure Platform Data
Server
About the Server
SAS Web Infrastructure Platform Data Server is included in your deployment for use as
transactional storage by SAS middle-tier software and some SAS solutions software.
The server is based on PostgreSQL 9.1.9. The server is configured specifically to
support SAS software. Some of the settings are provided in the next section.
The server is automatically configured by the SAS Deployment Wizard during
installation and configuration. By default, the SAS installer account is used to start the
server.
The databases that are managed by the server are backed up and restored with the
Backup and Recovery Deployment Tool. For information about the tool, see SAS
Intelligence Platform: System Administration Guide.
24 Chapter 2 / Interacting with the Server Tier
Installation Directory
The SAS Deployment Wizard installs and configures a server instance in the SASconfig-dir\Lev1\WebInfrastructurePlatformDataServer directory. This
path includes the following script and directories:
webinfdsrvc.bat
This script is used to start, stop, and determine the running status for the server. It
specifies the network port number and the path to the data directory. For UNIX
deployments, the script is named webinfdsrvc.sh and is configured to start the server
as the SAS installer account.
data
This directory contains server configuration files and the data files for the databases
that are managed by the server. SAS configures the server to store data in the
UTF-8 character encoding. Do not modify the files in this directory without direction
from SAS technical support.
Logs
SAS configures the server to generate log files in this directory. Log files are rotated
automatically after they reach 10 MB.
The _webinfdsvrc_console.log file is generated during start-up. Look at this log first if
you have trouble starting the server.
Databases
In a SAS 9.4 Enterprise Business Intelligence deployment, the server is configured to
manage the following databases:
Administration
This database contains configuration information for the modules that SAS develops
to extend the features of SAS Environment Manager.
SAS Web Infrastructure Platform Data Server
25
EVManager
This database is used by SAS Environment Manager. The database contains
configuration and metric information for the machines and servers that SAS
Environment Manager manages in your deployment.
SharedServices
This database is used by the SAS web applications and middle-tier software. For
example, comments that are added through various web applications are stored in
this database. Digital content that is stored with SAS Content Server is also stored in
this database.
Note: You can choose to use a third-party vendor database server for this database
when you install and configure software with the SAS Deployment Wizard. This
database is identified as the SAS Web Infrastructure Platform Database on the
pages in the wizard.
If your deployment includes SAS solutions software that supports SAS Web
Infrastructure Platform Data Server, then more databases might be configured on the
server.
Network Access
The server is configured to accept connections on all network interfaces and requires
password authentication. By default, SAS configures the server to use network port
number 9432. This network port number avoids conflicts with the default port (5432) that
other PostgreSQL servers might use.
SAS Web Application Server instances are configured with JDBC Data Sources that
reference the SharedServices database and the Administration database. SAS
Environment Manager is configured for access to the EVManager and the
Administration database.
26 Chapter 2 / Interacting with the Server Tier
JDBC Data Sources
About the Data Sources Used by the Middle
Tier
The SAS Web Infrastructure Platform and some solutions provide a set of features that
rely on a relational database to store service data. These relational tables differ from the
data that is analyzed, modeled, or otherwise processed by SAS applications, which
typically is derived from a site's enterprise or legacy sources. Instead, the relational
tables in the SAS Web Infrastructure Platform database are intrinsic to or used primarily
for the operations of a particular application, product, or service.
SAS web applications and services access data from the SAS Web Infrastructure
Platform database through JDBC. SAS Web Infrastructure Platform provides support for
the following third-party vendor databases:
n
Oracle Database
n
IBM DB2
n
Microsoft SQL Server
n
MySQL
n
PostgreSQL
n
Teradata Database
Your site can choose to use the database that you are familiar with. However, some
SAS solutions have requirements for specific databases. Consider these requirements
when you select a database to use as the data source for the SAS Web Infrastructure
Platform. As a default option, the SAS Web Infrastructure Platform Data Server can be
configured as the data source for SAS Web Infrastructure Platform.
JDBC Data Sources
27
Connection Information for the JDBC Data
Source
The database used by the SAS Web Infrastructure Platform must be configured in SAS
Web Application Server as a JDBC data source. The JDBC data source is configured
with the JDBC driver and connection information for the selected database. These
settings are provided to the SAS Deployment Wizard during installation and
configuration. You need to know the JDBC connection parameters if you make changes
later, such as changing the connection to access a database on another machine.
JDBC connection settings typically require a user ID and password for access to the
data source.
The default database server for SAS Web Infrastructure Platform is the SAS Web
Infrastructure Platform Data Server. The JDBC connection parameters for the server
are provided in the following table:
Table 2.1
JDBC Connection Parameters for SAS Web Infrastructure Platform Data Server
Connection Parameter
Setting
JNDI name:
sas/jdbc/SharedServices
JDBC URL:
jdbc:postgresl://serverName:port/SharedServices
In the URL, substitute the server name and port number of the
SAS Web Infrastructure Platform Data Server at your site. The
default port is 9432.
JDBC driver class:
org.postgresql.Driver
These settings are configured during initial deployment. However, you need to know the
connection information if you make changes later, such as moving the server to another
host system.
Note: You must specify the user name and password values as required to access the
data source.
28 Chapter 2 / Interacting with the Server Tier
These settings are represented in SAS Web Application Server in the SAS-configdir\Levn\Web\WebAppServer\SASServer1_1\conf\server.xml file:
<Resource auth="Container" driverClassName="org.postgresql.Driver"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" initialSize="10"
jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.ConnectionState;
org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer"
jmxEnabled="true" maxActive="100" name="sas/jdbc/SharedServices"
password="${pw.sas.jdbc.SharedServices}" testOnBorrow="true"
type="javax.sql.DataSource"
url="jdbc:postgresql://hostname.example.com:9432/SharedServices"
username="SharedServices" validationInterval="30000"
validationQuery="select 1"/>
The postgresql.jar JAR file provides the org.postgresql.Driver class. SAS provides the
JAR file in the SASHOME\SASWebInfrastructureDataBaseJDBCDrivers
\9.4\Driver directory.
Job Execution Service
The service provides a common, standardized way for applications to create, submit,
store, retrieve, and queue jobs for SAS servers. The service can be configured with the
Configuration Manager plug-in to SAS Management Console. The settings define the
Job Execution Service
job thread pool and the execution thread pools for all logical servers that the service
uses for delegating work.
Figure 2.1 Job Execution Service Settings
Table 2.2
Job Execution Service Settings Descriptions
Setting
Default Value
Description
Job Queue Minimum
Threads
5
Minimum number of job queue threads to
create for incoming job requests.
29
30 Chapter 2 / Interacting with the Server Tier
Setting
Default Value
Description
Job Queue Maximum
Threads
30
Maximum number of job queue threads to
create if the demand requires additional
resources.
Enable role-based security Disabled
If enabled, then the job execution service
checks the identity and the job characteristics
to make sure the identity making the request
meets the assigned permissions. For more
information, see Table 2.3 on page 32.
Enable job persistence
Jobs are kept in memory only if persistence is
disabled. If persistence is disabled and the
SAS Web Infrastructure Platform Services
application or the web application server is
stopped, then no records are written to the
SAS Web Infrastructure Platform database
about any jobs that were submitted. When
persistence is enabled, the job execution
services can restart any jobs that were
submitted, queued, or running. For jobs that
are complete, clients can fetch the results
after a restart, when persistence is enabled.
Enabled
Note: Persistence must be enabled when
SAS Web Application Server is clustered.
Enable Distributed-IP
Scheduler job runner
Disabled
If enabled, then the distributed in-process
scheduler is used for running scheduled jobs.
Disable this setting if Platform Suite for SAS
is available and the preferred scheduling
method.
Available Server Contexts
SASApp
Use the controls to select the server context
to configure.
Enable for interactive
execution
Disabled
If enabled, then the servers in the associated
server context perform interactive workspace
tasks and interactive stored process tasks
only. If disabled, then the servers can perform
batch and interactive job execution.
Server Minimum Threads
1
Minimum number of task threads to create for
incoming job requests.
Job Execution Service
Setting
Default Value
Description
Server Maximum Threads
varies
Maximum number of task threads to create if
the demand requires additional resources.
Server Resources
31
You can associate resources with servers
and then a job can specify that it requires a
resource. For example, you can associate a
printer name with SASApp. When a client
submits a job, and specifies that it requires
the printer resource, the job execution service
makes sure that the job runs on that server
even when other servers are available.
The default settings are designed to provide good performance in a variety of operating
environments. Before modifying the settings, consider enabling the auditing features of
the job execution services to review the performance with the default settings. For
information about enabling auditing, see “Configuring Auditing for SAS Web
Applications” on page 80.
To modify any of these settings, follow these steps:
1 Log on to SAS Management Console as an administrator.
2 On the Plug-ins tab, navigate to Application Management  Configuration
Manager  SAS Application Infrastructure  Web Infra Platform Services 9.4.
3 Right-click JobExecutionService and select Properties.
4 Click the Settings tab.
5 Modify the settings and then click OK.
Settings are not applied and made active automatically. They are activated when restart
the SAS Web Infrastructure Platform Services or SAS Web Application Server.
Alternatively, you can set the state of some properties at run time through the JMX bean
(MBean) for the service with a JMX console.
32 Chapter 2 / Interacting with the Server Tier
The default configuration for the job execution services does not check role-based
permissions. If role-based security is enabled, then the job execution service checks
that the identity submitting the request has sufficient permission.
Table 2.3
Job Execution Service Roles
Role
Capabilities
Job Execution: Job Administrator
Can submit jobs of high, normal, and low
priority and perform all job-related operations.
Job Execution: Job Designer
Can add, update, or remove jobs and tasks
from metadata.
Job Execution: Job Scheduler
Can schedule jobs.
Job Execution: Job Submitter
Can submit normal priority jobs for execution.
Job Execution Service
33
The following figure shows the default capabilities associated with the job administrator
role.
Figure 2.2
Job Administrator Capabilities
34 Chapter 2 / Interacting with the Server Tier
35
Part 2
Middle-Tier Components
Chapter 3
Administering SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 4
Administering SAS Web Application Server . . . . . . . . . . . . . . . . . . . 45
Chapter 5
Administering Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Chapter 6
Administering JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
36
37
3
Administering SAS Web Server
About SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installing SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Automatic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Using HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Understanding the SAS Web Server Configuration . . . . . . . . . . . . . . . 40
Understanding SAS Web Server Management . . . . . . . . . . . . . . . . . . . . . 41
Using the httpdctl Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Using the appsrvconfig Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Using Windows Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Using SAS Environment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Monitoring SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Viewing Performance with SAS Environment Manager . . . . . . . . . . . 42
Viewing Load-Balancing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
About SAS Web Server
SAS Web Server is an HTTP server. The server is based on VMware vFabric Web
Server. SAS configures the server with the following features:
n
automatically configured as a load-balancing HTTP server when SAS Web
Application Server is clustered.
38 Chapter 3 / Administering SAS Web Server
n
automatically updated to route web sessions (round robin) to SAS Web Application
Server instances when clustered.
n
can be configured for HTTPS automatically. You must supply a signed certificate
and a private key. You can follow manual steps to change a configuration that used
HTTP to HTTPS.
n
automatically configured to cache static web content like JavaScript files, cascading
style sheets, and graphics files.
The followinge advanced configurations are possible, but require manual configuration
that is not automatically updated:
n
adding instances of SAS Web Server to form a cluster
n
interacting with customer-supplied load-balancing hardware or software
Installing SAS Web Server
Automatic Configuration
SAS Web Server is installed with the SAS Deployment Wizard. The wizard can also
automatically configure the server. By default, the server is installed on the same
machine as SAS Web Application Server. However, because the topology is defined in
a plan file that the wizard uses, the server can be deployed to a different machine if the
topology is defined that way in the plan file.
To use this feature, select the Configure SAS Web Server automatically check box
on the SAS Web Server: Automated or Manual Configuration Option page of the SAS
Deployment Wizard.
Manual Configuration
If you prefer to configure SAS Web Server manually, make sure the Configure SAS
Web Server automatically check box is not selected when you use the SAS
Deployment Wizard. Once the wizard completes, the Instructions.html file provides step-
Installing SAS Web Server 39
by-step instructions that describe how to configure the server manually. The instructions
are customized for your deployment, including the correct host names and file system
paths.
If you choose to configure the server manually, you must also configure SAS Web
Application Server manually.
Using HTTPS
If you plan to use HTTPS, then it is best to enable the feature during the installation and
configuration time frame with the SAS Deployment Wizard. The SAS Deployment
Wizard prompts for a CA-signed certificate and private key. Both must be in PEM
encoded format.
If you have a CA-signed certificate, the SAS Deployment Wizard prompts for the path to
the certificate and the path to the RSA private key that is not protected with a pass
phrase. An RSA private key file that is not protected with a pass phrase begins as
follows:
Example Code 3.1 RSA Private Key without a Pass phrase
-----BEGIN RSA PRIVATE KEY----MIICXgIBAAKBgQC4vPQMyiVKvjIERVNfa34iVxeauzcUa8zc2xBHRlJ43uAvvWuL
63yeGl8QQoT55yqhAWhs62i24lE34t2ituhCm0QYbU1KiyB9PNyfOk3/2E7Y7o1T
Do not use an encrypted private key. An encrypted RSA private key file begins as
follows:
Example Code 3.2
Encrypted RSA Private Key
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FB353F5E4F1719EB
LigQnszN4joO24QonLHCEl7d4LlLa6uMEqdxhl1PX8O4o+pbY5cEQJBbCiRlEmfg
Io5V/YZUa+uGG82ULsAUy3zWTHP+OjxpTV/3gjLwbmD3+JM5Dd0jFLGenfPF5hld
The SAS Deployment Wizard also prompts for the certificate. A certificate file from a
certificate authority typically begins as follows:
Example Code 3.3
Certificate:
Data:
Certificate Authority-Signed Certificate
40 Chapter 3 / Administering SAS Web Server
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
...
-----BEGIN CERTIFICATE----MIIDhDCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQQFADB+MQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkMxDTALBgNVBAcTBENhcnkxDDAKBgNVBAoTA1NBUzENMAsGA1UE
Understanding the SAS Web Server
Configuration
The default location for SAS Web Server is SAS-config-dir\Levn\WebServer. Key
files and directories are as follows:
bin
This directory includes a command for starting and stopping the server. For more
information, see “Using the httpdctl Command”.
conf
SAS software manages the configuration files in this directory. If you modify a file,
your customizations are overwritten the next time SAS software configures the
server.
Do not modify configuration files manually. Many settings, such as network port
number, are managed in SAS metadata as well. Use the SAS Deployment Manager
and SAS Deployment Wizard for configuring SAS Web Server.
ssl
If you enabled HTTPS during installation and configuration with the SAS Deployment
Wizard, then this directory is used to store the certificate and private key for the
server. If you supplied a CA-signed certificate and private key to the wizard, both
files are copied to this directory. The files are also renamed to include the host
name, as follows:
hostname.crt
hostname.key
Understanding SAS Web Server Management
41
TIP If you need to replace a certificate—for example, to avoid having a certificate
expire—then replace the file in this directory.
Understanding SAS Web Server
Management
Using the httpdctl Command
The server is configured with a httpdctl.ps1 command in the bin directory. On
UNIX and z/OS, the command is httpdctl.
UNIX Specifics: If you configured SAS Web Server to use network port numbers below
1024, then you must run the httpdctl command with super user privileges, such as
sudo.
sudo ./httpdctl restart
Windows Specifics: The httpdctl.ps1 is a Windows PowerShell script. You might
need to set the execution policy with powershell set-executionpolicy
remotesigned.
powershell .\httpdctl.ps1 restart
Using the appsrvconfig Command
A configuration scripting tool for SAS Web Server is located in the SAS-config-dir
\Levn\Web\Scripts\WebServer directory. The appsrvconfig.cmd command
can be used for starting, stopping, and restarting SAS Web Server.
appsrvconfig.cmd start
appsrvconfig.cmd stop
appsrvconfig.cmd restart
The actual task is identified in a command task file that is located in the SAS-configdir\Levn\Web\Scripts\WebServer\props. The file is generated and then
executed. The file does not exist until the appsrvconfig.cmd command is used.
42 Chapter 3 / Administering SAS Web Server
Information about using the appsrvconfig.cmd command for configuration tasks is
provided in SAS Configuration Scripting Tools on page 301.
Using Windows Services
For deployments that use the Windows operating environment, the default action for the
SAS Deployment Wizard is to register each server instance as a service. The naming
convention is similar to the following example:
SAS [Config-Lev1] httpd - WebServer
Using SAS Environment Manager
SAS Environment Manager provides an interface that you can access with a web
browser. You can start and stop SAS Web Server with the web interface.
Monitoring SAS Web Server
Viewing Performance with SAS Environment
Manager
The primary user interface for monitoring the server is SAS Environment Manager.
Numerous metrics are collected from the server.
In SAS Environment Manager, SAS Web Server is represented as vFabric Web
Server 5.2 Virtual Host.
For administrators that are familiar with monitoring Apache HTTP Server, the metrics
that are collected for vFabric Web Server 5.2 Virtual Host are related to mod_bmx.
See Also
SAS Environment Manager: User's Guide
Monitoring SAS Web Server
43
Viewing Load-Balancing Statistics
SAS Web Server is configured to load-balance requests, even if only one SAS Web
Application Server instance is configured. You can access the information by opening a
web browser from the machine that is hosting SAS Web Server and accessing the
following URL:
http://localhost/balancer-manager
The web page provides information about each load balancer. Some of the information
is identified in the following list:
n
routes (each instance of SAS Web Application Server is identified as a route)
n
route status
n
the amount of network traffic to and from each route
44 Chapter 3 / Administering SAS Web Server
45
4
Administering SAS Web Application
Server
About SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Installing SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Automatic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Multiple Machine Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Understanding the SAS Web Application Server
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Server Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Server Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Specifying JVM Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Deploying Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Understanding SAS Web Application Server Management . . . . . . 50
Using the tcruntime-ctl Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Using the appsrvconfig Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Using Windows Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Using SAS Environment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Monitoring SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
46 Chapter 4 / Administering SAS Web Application Server
About SAS Web Application Server
SAS Web Application Server is a lightweight server that provides enterprise-class
features for running SAS web applications. The server is based on VMware vFabric tc
Server. By packaging the server and software that can automate server configuration
tasks, SAS simplifies the demands for managing a web application server.
Though the server is based on a commercially available third-party software product,
the server is deployed and configured specifically to provide an environment for the
SAS web application and the middle-tier environment. The configuration tools that are
packaged with the software ease the administration of the server in a SAS environment
because the tools are designed to interact with the SAS Metadata Server and other
SAS software products to maintain reliability and reduce administration in the SAS
deployment.
The following list identifies some enhancements that are implemented in SAS Web
Application Server:
n
automatically connects to Cache Locator on server start-up for distributed
communication.
n
accesses the JMS resources provided by JMS Broker.
n
automatic directory scanning for changes to files is disabled. This change conserves
computing resources.
n
JAR file scanning is optimized to reduce start-up times.
Installing SAS Web Application Server
Automatic Configuration
By default, SAS Web Application Server is installed by the SAS Deployment Wizard
when you install SAS software for your deployment. The SAS Deployment Wizard can
Installing SAS Web Application Server
47
automatically configure a server instance, deploy the web applications, and also
automatically configure related middle-tier components such as SAS Web Server, JMS
Broker, and Cache Locator.
To use this feature, select the Configure the web application server automatically
check box on the Web Application Server: Automatic Configuration page of the SAS
Deployment Wizard.
Manual Configuration
If you prefer to configure SAS Web Application Server manually, make sure the
Configure the web application server automatically check box is not selected when
you use the SAS Deployment Wizard. Once the wizard completes, the Instructions.html
file provides step-by-step instructions for how to configure the server manually. The
instructions are customized for your deployment, including the correct host names and
file system paths.
The generated Instructions.html file also includes information about installing and
configuring the related middle-tier components: SAS Web Server, JMS Broker, and
Cache Locator.
Multiple Machine Installation
You can install and configure SAS Web Application Server on multiple machines to
provide better performance, scalability, and high availability. This is called horizontal
clustering.
You can have the SAS Deployment Wizard automatically configure the additional
instances, or configure them manually. For more information, see “Adding a Horizontal
Cluster Member” on page 212.
48 Chapter 4 / Administering SAS Web Application Server
Understanding the SAS Web Application
Server Configuration
Server Naming
The default name for the first server instance is SASServer1_1.
The server name and instance is broken down as follows:
SASServer1
This portion identifies the server name.
_1
This portion identifies the first instance of the server. Additional instances of this
server (for vertical clustering) increment the number as in _2, _3, and so on.
Your deployment might include additional managed servers. If your deployment
includes a SAS solution, the web applications related to the solution might be deployed
to managed servers with names like SASServer8_1 or SASServer12_1.
Your deployment might include SASServer2_1. This server instance is created when
the SAS Deployment Wizard is used at the custom prompting level and enabling the
multiple managed server option. This option is useful for distributing some of the web
applications to the SASServer2_1 instance.
If you have configured multiple instances of a managed server, such as SASServer1_1
and SASServer1_2, then the web applications that support clustering are deployed
identically to each instance. Each of these instances is a vertical cluster member. For
applications that do not support clustering, only one instance is configured on the first
server instance.
See Also
“Adding a Vertical Cluster Member” on page 211
Understanding the SAS Web Application Server Configuration
49
Server Directories
Configured instances of SAS Web Application Server are stored in the SAS-configdir\Levn\WebAppServer directory and subdirectories.
SAS-config-dir\Levn\Web\WebAppServer\SASServer1_1
This directory represents an instance of the SAS Web Application Server.
Information about some of the subdirectories is as follows:
bin
This directory includes a command for starting and stopping the server. More
information about controlling the server is described in “Understanding SAS Web
Application Server Management”.
conf
SAS software manages the configuration files in this directory. If you modify a
file, your customizations are overwritten the next time SAS software configures
the server.
sas_webapps
This directory is used for the SAS web applications. SAS software manages the
addition and removal of web applications from the directory.
Specifying JVM Options
For some advanced configuration procedures, you might need to change JVM options
for the server.
For Windows deployments, the JVM options are specified in the SAS-config-dir
\Lev1\Web\WebAppServer\SASServer1_1\conf\wrapper.conf file and the
SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\bin\setenv.bat
file. If you have multiple instances of SAS Web Application Server, make the same
changes in each of the files.
For UNIX deployments, JVM options are specified in the SAS-config-dir/
Lev1/Web/WebAppServer/SASServer1_1/bin/setenv.sh file. If you have
multiple server instances, make the changes in each setenv.sh file.
50 Chapter 4 / Administering SAS Web Application Server
Deploying Web Applications
During the installation and configuration that is performed with the SAS Deployment
Wizard, the SAS web applications are automatically deployed if SAS Web Application
Server is automatically configured.
See Also
For information about redeploying, see “Redeploy Web Applications” on page 108.
Understanding SAS Web Application
Server Management
Using the tcruntime-ctl Command
Each server instance provides a tcruntime-ctl.cmd command in the bin directory.
The command is tcruntime-ctl.sh on UNIX and z/OS.
If you use this command to start, stop, or restart a server instance, be aware that it
affects only the single server instance. The command does not start or stop any middletier components that the server depends on. The command syntax is as follows:
tcruntime-ctl.cmd start
tcruntime-ctl.cmd stop
tcruntime-ctl.cmd restart
Note: On Windows, the status option does not indicate whether the server is running
or stopped.
Using the appsrvconfig Command
Each machine that is used to run SAS Web Application Server for the SAS middle-tier
includes the SAS Configuration Scripting Tools in the SAS-config-dir\Levn\Web
Understanding SAS Web Application Server Management
51
\Scripts\AppServer directory. The appsrvconfig.cmd command can be used for
starting, stopping, and restarting all the SAS Web Application Server instances on the
machine as well as any middle-tier components that the server depends on.
For example, the command appsrvconfig.cmd restart automatically performs the
following tasks:
1 Stops all SAS Web Application Server instances
2 Stops JMS Broker
3 Stops Cache Locator
4 Starts Cache Locator
5 Starts JMS Broker
6 Starts all SAS Web Application Server instances
The actual tasks are identified in a command task file that is located in the SASconfig-dir\Levn\Web\Scripts\AppServer\props. The file is generated and
then executed. The file does not exist until the appsrvconfig.cmd command is used.
Information about using the appsrvconfig.cmd command for configuration tasks is
provided in SAS Configuration Scripting Tools on page 301.
Using Windows Services
For deployments that use the Windows operating environment, the default action for the
SAS Deployment Wizard is to register each server instance as a service. The naming
convention is similar to the following example:
SAS [Config-Lev1] WebAppServer SASServer1_1
The Windows service has the advantage of providing the server status (started or
stopped), which is not available with the tcruntime-ctl.bat command line tool. In addition,
the Windows service manages the service dependencies.
52 Chapter 4 / Administering SAS Web Application Server
Using SAS Environment Manager
SAS Environment Manager provides an interface that you can access with a web
browser. You can start and stop SAS Web Application Server with the web interface.
When you start a server instance with SAS Environment Manager, the application
indicates that the server started successfully before the server actually completes
starting.
The command-line interface (tcsadmin) that is available with SAS Environment
Manager can be used for inventory and control operations. Do not use it for application
management or configuring instances and groups because you can create
inconsistencies with the deployment software developed by SAS.
See Also
SAS Environment Manager: User's Guide
Monitoring SAS Web Application Server
The SAS 9.4 release introduces SAS Environment Manager. A SAS Environment
Manager Agent is installed on the same machine as SAS Web Application Server and
reports metrics to SAS Environment Manager.
You can access SAS Environment Manager from a URL that is similar to the following
example:
http://hostname.example.com:7080
Note: The server portion of SAS Environment Manager runs in its own instance of a
web application server. However, SAS Environment Manager is configured to use SAS
Logon Manager for authentication, and this requires that SAS Web Application Server is
running before you can access SAS Environment Manager.
See Also
SAS Environment Manager: User's Guide
53
5
Administering Cache Locator
About the Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Installing Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Single Machine Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Multiple Machine Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Understanding the Cache Locator Configuration . . . . . . . . . . . . . . . . . . 54
Setting the Bind Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
About the Cache Locator
The Cache Locator is based on VMware vFabric GemFire. The software is used by
applications on server-tier and middle-tier machines to locate other members and form
a data cache. When SAS Web Application Server starts, it contacts one of the locators
that is specified in the sas.cache.locators JVM option to initialize communication
with the distributed cache. With that information, SAS Web Application Server instances
form the cache that is needed to share run-time information.
A locator is also configured on the server tier to provide access to the data cache for
stand-alone client applications like the SAS Web Infrastructure Platform Scheduling
Services (wipschedbatch.bat).
54 Chapter 5 / Administering Cache Locator
Installing Cache Locator
Single Machine Deployments
In a single-machine deployment where the middle tier and the server tier are on the
same machine, only one locator is installed by the SAS Deployment Wizard.
SAS Web Application Server uses the locator. If more than one instance of SAS Web
Application Server is configured, each instance uses the locator to learn about the other
server instances to form the cache.
Multiple Machine Deployments
A locator is installed on the first middle-tier machine by the SAS Deployment Wizard. A
locator is also installed on each server-tier machine that includes SAS Web
Infrastructure Platform Scheduling Services.
Understanding the Cache Locator
Configuration
The default location for the cache locator is SAS-config-dir\Levn\Web\gemfire
\instances\ins_port-number. Key files and directories are as follows:
gemfire-locator.sh
This script exists on UNIX deployments only. It can be used with one of the following
arguments: start, stop, or status.
gemfire-start-locator-sas.sh
This script exists on UNIX deployments only. Use this file to specify JVM options for
UNIX deployments.
Setting the Bind Address
55
gemfire-locator-zos.jcl
This script exists on z/OS deployments only. Use this file to specify JVM options for
z/OS deployments.
gemfire.log
This is the log file for the cache locator. Be aware that it is different from the log file
with the same name that is written to SAS-config-dir\Levn\Web
\WebAppServer\SASServer1_1\logs.
wrapper.conf
This file exists on Windows deployments only. It is used when you operate the SAS
[Config-Lev1] Cache Locator service. Use this file to specify JVM options for
Windows deployments.
Setting the Bind Address
When the locator is deployed on a machine that has more than one network interface,
one network interface is used by default. In some cases, the network interface that is
selected as the default is not the network interface that you want the locator to use.
You specify the network bind address to use for network traffic, add the Dgemfire.bind_address=preferred-ip-address JVM option. For information
about how to specify the options, see “Understanding the Cache Locator Configuration”
on page 54.
If SAS Web Application Server is deployed on the same machine, specify the same Dgemfire.bind_address=preferred-ip-address JVM option. For more
information, see Specifying SAS Web Application Server JVM Options on page 49.
56 Chapter 5 / Administering Cache Locator
57
6
Administering JMS Broker
About JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Installing JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Understanding the JMS Broker Configuration . . . . . . . . . . . . . . . . . . . . . 58
Monitoring JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
About JMS Broker
JMS Broker is based on Apache ActiveMQ. The broker is installed and configured with
the SAS Deployment Wizard. By default, the broker listens on network port number
61616.
SAS middle-tier software uses the broker for Java Messaging Services (JMS). Some
SAS web applications use JMS connection factories, queues, and topics for
implementing business logic. These resources are configured in SAS Web Application
Server for use by the SAS web applications.
Installing JMS Broker
The broker is installed and configured with the SAS Deployment Wizard. If you perform
an automatic configuration of SAS Web Application Server, then the broker is
automatically installed and configured. If you prefer to perform a manual configuration of
58 Chapter 6 / Administering JMS Broker
SAS Web Application Server, then you must install and configure the broker. The stepby-step instructions are provided in the Instructions.html file that is generated by the
SAS Deployment Wizard.
An instance of the broker is installed on the first machine that is used for the SAS
middle tier. If you use the SAS Deployment Wizard to configure an additional middle-tier
node on another machine, then those server instances are configured with connection
information for the broker.
Understanding the JMS Broker
Configuration
The default location for the broker is SAS-config-dir\Levn\Web\activemq. Key
files and directories are as follows:
bin
On UNIX deployments, the activemq command is included in this directory. You
can use the start, stop, restart, or status options with the command.
On Windows deployments, use the service that is registered with Windows to
manage the broker. The activemq.bat command is not configured for use with
SAS software.
data
The activemq.log file is written in this directory.
Monitoring JMS Broker
The primary user interface for monitoring the server is SAS Environment Manager.
Numerous metrics are collected from the broker.
In SAS Environment Manager, the broker is represented as host-name ActiveMQ 5.7.
Statistics for the broker itself as well as the queues and topics are also gathered.
59
Part 3
Middle-Tier Applications
Chapter 7
Administering the SAS Web Infrastructure Platform . . . . . . . . . 61
Chapter 8
Administering SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 9
Administering SAS Logon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 10
Administering the SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 11
Administering the SAS BI Web Services . . . . . . . . . . . . . . . . . . . . . . 159
60
Chapter 12
Administering SAS Web Application Themes . . . . . . . . . . . . . . . . 171
Chapter 13
Administering SAS Flex Application Themes . . . . . . . . . . . . . . . . 199
61
7
Administering the SAS Web
Infrastructure Platform
About SAS Web Infrastructure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Purpose of the SAS Web Infrastructure Platform . . . . . . . . . . . . . . . . . .
SAS Preferences Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SAS Comment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
62
63
64
Using Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Overview of Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Summary of Steps for Using Configuration Manager . . . . . . . . . . . . . . 66
Example: Configure a Property for SAS Web Report Studio . . . . . 67
Setting Global Properties for SAS Applications . . . . . . . . . . . . . . . . . . . . 69
Purpose of the SAS Application Infrastructure Properties . . . . . . . . 69
Changing a SAS Application Infrastructure Property . . . . . . . . . . . . . . 70
SAS Application Infrastructure Property Descriptions . . . . . . . . . . . . . 71
Using the SMS Alert Notification Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Specifying Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
About Internal and External Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Changing Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Changing External Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring Auditing for SAS Web Applications . . . . . . . . . . . . . . . . . . 80
Overview of Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Audit Record Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Guidelines for Auditing the SAS Middle Tier . . . . . . . . . . . . . . . . . . . . . . . . 81
Enable Auditing for Additional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
62 Chapter 7 / Administering the SAS Web Infrastructure Platform
Archive Process for Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Purging Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Using the SAS Web Administration Console . . . . . . . . . . . . . . . . . . . . . . . 86
About the SAS Web Administration Console . . . . . . . . . . . . . . . . . . . . . . . 86
Access the SAS Web Administration Console . . . . . . . . . . . . . . . . . . . . . 87
Monitor Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Viewing Audit Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Performing Server Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Managing Notification Templates and Letterheads . . . . . . . . . . . . . . . . 91
Managing Web Infrastructure Platform Privileges and Roles . . . . . 94
Managing Web-layer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Viewing Information about Web Applications . . . . . . . . . . . . . . . . . . . . . . . 99
About SAS Web Infrastructure Platform
Purpose of the SAS Web Infrastructure
Platform
The SAS Web Infrastructure Platform is a collection of services and applications that
provide common infrastructure and integration features to be used by SAS web
applications. These services and applications provide the following benefits:
n
consistency in installation, configuration, and administration tasks for web
applications
n
greater consistency in users' interactions with web applications
n
integration among web applications as a result of the ability to share common
resources
For a description of the SAS Web Infrastructure Platform services and applications, see
“SAS Web Infrastructure Platform” on page 9.
About SAS Web Infrastructure Platform 63
SAS Preferences Manager
The SAS Preferences Manager is a web application that provides a central facility for
users to manage their preferences and settings.
You can invoke the application by using the following URL:
http://server:port/SASPreferences
Users of SAS Information Delivery Portal can invoke the SAS Preferences Manager
from within the portal. For instructions, see the product Help.
The following figure shows a generic preferences application. The actual preferences
that are available vary depending on the software that is installed. The SAS Preferences
Manager at your site might have additional settings.
Display 7.1
SAS Preferences Manager Console
Here are the generic settings:
General
Specify a theme for the applications. A theme includes settings for colors, fonts, and
graphics.
Users can also specify the format for notifications that are generated by SAS
applications and solutions.
Language
Select the locale (language and country) that you prefer.
64 Chapter 7 / Administering the SAS Web Infrastructure Platform
Format
Select the preferred format for dates, time, and currency.
Portal
Specify the position of the portal navigation bar in the SAS Information Delivery
Portal. You can also specify the sort order for packages that are published in the
portal. You can sort packages in descending order (newest packages are at the top)
or in ascending order (oldest packages are at the top).
SAS Comment Manager
The SAS Comment Manager can be used by SAS web applications to capture user
comments. For example, in SAS Web Report Studio, the File  Comments menu item
enables users to add comments to reports and graphs.
By default, all users who can log on to an application that uses the SAS Comment
Manager can view and create comments. As an administrator, you might also want to
edit and delete comments. Editing and deleting comments are considered
administrative functions.
To edit and delete comments, you must belong to the predefined role, Comments:
Administrator. This role includes the capabilities in the following list. Users that have a
need to edit or delete comments should be assigned to this role.
Note: Due to possible conflicts that can occur when multiple users delete comments in
the same comment thread, the best practice is to limit the number of users to just a few.
To edit or delete a comment, follow these steps:
1 Select the comment in the left pane of SAS Comment Manager.
2 To edit the comment, in the right pane, click Edit. An Edit Comment page opens in
which you can make changes. When you are finished, click Save.
3 To delete the comment, in the right pane, click Delete. You are prompted to confirm
the deletion.
Using Configuration Manager
65
The following figure shows an example of SAS Comment Manager with a comment
displayed.
Display 7.2 SAS Comment Manager
Using Configuration Manager
Overview of Configuration Manager
Configuration Manager is a plug-in available in SAS Management Console. Using the
Configuration Manager, you can perform various administrative tasks such configuring
properties and values and specifying settings for the SAS web applications.
Configuration Manager offers a consistent interface to set properties for all SAS web
applications. Each application has its own properties window with tabs. For example,
66 Chapter 7 / Administering the SAS Web Infrastructure Platform
the following display shows the Settings tab of the Web Report Studio 4.4 Properties
dialog box.
Here is a brief description of the five tabs available in the properties dialog box
associated with a SAS application:
Note: For more information about using these tabs, see the online Help for the
Configuration Manager plug-in in SAS Management Console.
n
The General tab provides basic information about the application.
n
The Connection tab enables you to modify the parameters for connections to SAS
web applications. For more information, see “Specifying Connection Properties” on
page 75.
n
The Settings tab offers default values for settings that can be modified. For
modifying values in the Settings tab, and to understand how the lock and unlock
icons function, see “Setting Global Properties for SAS Applications” on page 69.
n
The Advanced tab includes a limited number of default property names and values.
You can modify existing properties and their values, or add custom properties and
values for SAS web applications.
n
The Authorization tab enables you to specify permissions for users and groups and
apply Access Control Templates.
Although certain XML configuration files (for example,
SASWebReportStudioProperties.xml file for SAS Web Report Studio) are available
and supported for SAS web applications, it is recommended that you use the
Configuration Manager to configure and set properties.
Summary of Steps for Using Configuration
Manager
Here are the main steps for using Configuration Manager:
1 To access Configuration Manager, in SAS Management Console, navigate to Plug-
ins  Application Management  Configuration Manager  SAS Application
Infrastructure.
Using Configuration Manager
67
2 To access the properties for an application, right-click the application's node and
select Properties.
3 Add or modify properties as needed. You might need to unlock particular properties
before you can change them. See “Setting Global Properties for SAS Applications”
on page 69.
4 Changes to properties do not take effect immediately on the run-time system. To
apply these changes, you must perform one of the following tasks:
n
Stop and then restart the web applications whose properties you changed.
n
Use the application's JMX management bean to reload the configuration (if the
application supports JMX beans). For more information about JMX, see “Using
JMX Tools to Manage SAS Resources ” on page 293.
n
Alternatively, stop and then restart SAS Web Application Server.
Example: Configure a Property for SAS Web
Report Studio
Suppose that you want to add the property,
wrs.ReportViewPrefs.LeftPanelOpenState for SAS Web Report Studio 4.4, and
specify the value for this property. To configure this property and its value, follow these
steps:
1 Log on to SAS Management Console.
2 In SAS Management Console, navigate to Plug-ins  Application Management 
Configuration Manager  SAS Application Infrastructure  Web Report Studio
4.4. Right-click and select Properties to display the Web Report Studio 4.4
Properties dialog box.
3 Click the Advanced tab.
4 Click Add to display the Define New Property dialog box.
5 Enter the property name as shown and specify the property value:
68 Chapter 7 / Administering the SAS Web Infrastructure Platform
Property Name: wrs.ReportViewPrefs.LeftPanelOpenState
Property Value: user
6 Click OK to exit the Define New Property dialog box.
7 Click OK to exit the Web Report Studio 4.4 Properties dialog box.
Changes to properties do not take effect immediately on the run-time system. For
details, see “Summary of Steps for Using Configuration Manager” on page 66.
The following display shows the property name,
wrs.ReportViewPrefs.LeftPanelOpenState, and its property value specified on the
Advanced tab.
Display 7.3
Advanced Tab for SAS Web Report Studio 4.4 Properties
The dimmed fields indicate that the values are inherited from the SAS Application
Infrastructure, and these values are shared with other web applications. The values in
the dimmed fields can be changed only in the SAS Application Infrastructure properties.
Setting Global Properties for SAS Applications
69
Setting Global Properties for SAS
Applications
Purpose of the SAS Application
Infrastructure Properties
The Configuration Manager plug-in within SAS Management Console enables you to
configure properties that apply to all SAS applications that inherit their settings from
SAS Application Infrastructure. Most SAS Application Infrastructure settings are locked,
and the lock prevents individual SAS applications from overriding the settings. When
you unlock a SAS Application Infrastructure setting, the setting can be overridden by
individual applications. When you lock a SAS Application Infrastructure setting again, all
applications inherit that setting from the SAS Application Infrastructure.
70 Chapter 7 / Administering the SAS Web Infrastructure Platform
The following display shows the settings that can be set for SAS Application
Infrastructure.
Display 7.4
Settings Tab for SAS Application Infrastructure Properties
The locked icon
indicates that a field is locked. When a field has a locked icon, the
value or setting for that particular field cannot be overridden on the Settings tab for
other SAS applications that inherit the setting. By default, all fields on the Settings tab
of the SAS Application Infrastructure Properties dialog box are locked.
Changing a SAS Application Infrastructure
Property
1 Log on to SAS Management Console as an administrator.
2 On the Plug-ins tab, navigate to Application Management  Configuration
Manager  SAS Application Infrastructure.
3 Right-click SAS Application Infrastructure and select Properties.
Setting Global Properties for SAS Applications
71
4 Click the Settings tab.
5 Select the property to change from the left panel. Use the menus or text fields to set
the property.
6 Click OK.
Settings are not applied and activated automatically. You must restart the SAS Web
Infrastructure Platform Services and the applications that use the changed property. If
unsure, restart the web application server.
SAS Application Infrastructure Property
Descriptions
The following table identifies the settings that are available for the SAS Application
Infrastructure.
Table 7.1
SAS Application Infrastructure Settings
Setting
Default Value
Description
Default theme
SAS Default
This setting controls the default theme that
is used by the SAS web applications. For
information about creating an alternative
theme, see “Administering SAS Web
Application Themes” on page 172.
Display Quick Help Tips
Off
Application > User Interface
72 Chapter 7 / Administering the SAS Web Infrastructure Platform
Setting
Default Logon Target
Default Value
Description
none
Use the menu to select the application to
which default URL requests are directed
upon successful authentication. In this way,
a site can be configured to direct users to
SAS Web Report Studio, SAS Information
Delivery Portal, or some solution, as a
default target depending on requirements.
The typical choices are identified in the
following list:
n AdminHome — SAS Web Administration
Console
n WRSLogon — SAS Web Report Studio
n PortalLogon — SAS Information Delivery
Portal
n DisplayDashboard — SAS BI Dashboard
n MobileAdmin — SAS BI Dashboard
Mobile Device Administration
Application > Regional Settings
Default locale
varies
Use the menu to select the default locale.
Application > Pooling
Use client-side pooling of No
SAS Servers where
supported
For information about the advantages and
disadvantages, see Appendix 4, “Choices
in Workspace Server Pooling,” in SAS
Intelligence Platform: Security
Administration Guide. For information about
configuring client-side pooling, see Chapter
9, “Configuring Client-side Pooling,” in SAS
Intelligence Platform: Application Server
Administration Guide.
Notifications > General Configuration
Alert notifications type
Portal
Use the menu to select the default
notification types. For information about
using the SMS setting, see “Using the SMS
Alert Notification Type” on page 74.
Setting Global Properties for SAS Applications
Setting
Default Value
Character set for e-mail
messages
UTF-8
Allow multi-part e-mail
messages
Yes
Alert prefix type
Default
Alert email prefix
SAS Alert:
E-mail digest frequency
4
73
Description
Notifications > Administrative and Error Messages
Sender of messages
noreply@smtps
erver
Used as the sender e-mail address for
administrative messages.
Recipient of
administrative messages
varies
Administrative and error messages are sent
to all e-mail addresses in the list.
varies
Use the menu to set the default format for
date, time, and datetime values.
varies
Use the menu to set the default format for
currency values.
Formats > Formats
Short date format
Time format
Long date format
Time/Date format
Formats > Currency Formats
Currency display format
Currency number format
Policies
For information about policies, see
“Configuring Middle Tier Security Policies”
on page 130.
74 Chapter 7 / Administering the SAS Web Infrastructure Platform
Using the SMS Alert Notification Type
The alert notification service can send alerts though Short Message Service (SMS) text
messages, in addition to sending alert notifications through e-mail and displaying them
in a portal. In order to use the SMS setting, the users that are to receive the messages
must have an e-mail address that is specifically for the SMS messages. The following
display shows an example of the User Manager plug-in to SAS Management Console.
In the display, a user’s e-mail address type is set to sms, and the address is provided
in an SMS format.
Display 7.5 SMS E-mail Address
Make sure that you know the SMS E-mail gateway for the provider. Some SMS E-mail
gateways for providers in the North American market are as follows:
Specifying Connection Properties
n
Verizon: phonenumber@vtext.com
n
AT&T: phonenumber@txt.att.net
n
Sprint: phonenumber@messaging.sprintpcs.com
n
T-Mobile: phonenumber@tmomail.net
75
In addition to making sure that recipients of the SMS messages have a SMS-style email address, you might need to set two properties related to SMS.
Table 7.2
Advanced Properties for SMS Messages
Property Name
Default Value
Description
Notifications.SMSMessageLength
120 characters
Modify this value as needed to
increase or decrease the size of SMS
messages that SAS software sends to
the mail server.
Policy.EnforceSMSMessageLengt
h
false
If set to true, then messages are
truncated to the length of the previous
property.
Specifying Connection Properties
About Internal and External Connections
The connection information for each application is stored in metadata. This information
is as follows:
n
Communication Protocol
n
Host Name
n
Port Number
n
Service
76 Chapter 7 / Administering the SAS Web Infrastructure Platform
This information is used to construct a URL (for example, http://
hostname.example.com/SASBIDashboard). This information is also used by SAS
applications that need to communicate with another application. In this case, the
requesting application can look up the information from metadata.
By default, the information in the previous list is identified on the Internal Connection
tab for each application. (In previous releases, this was the Connection tab.) In many
network topologies, end users and SAS web applications can send requests to the
same URL. In these cases, the External Connection tab has the Use internal
connection information check box selected, and all communication is sent to the
internal connection.
Some network topologies can prevent communication between SAS web applications.
The following figure shows a sample topology that prevents applications in the SAS
middle tier from accessing each other through the proxy.
Figure 7.1 Network Topology with a Firewall
Clients
Proxy
SAS Middle Tier
Web Server, Third-Party
Product, or Hardware
Load Balancer.
SAS Web Application Server
Web Browser
SAS Environment Manager
Other Middle-Tier Components
Firewall
In these topologies, the External Connection tab can be used to specify different
connection information. This might be necessary in the following scenarios:
Specifying Connection Properties
n
A firewall denies access to the SAS Web Server machine that originates from the
SAS Web Application Server machine.
n
A third-party product such as IBM Tivoli Access Manager WebSEAL or CA
SiteMinder is used to protect or rewrite URLs.
77
The previous two items are examples of a topology or software product that interacts
with SAS Logon Manager. Any change that affects access to SAS Logon Manager can
require you to specify external connection information because the change can affect
the call backs that occur between the applications and SAS Logon Manager.
In any network topology that prevents access to the front-end processor (identified as
the proxy in the previous figure) from the SAS middle tier, you can specify different
settings for the external connection. When a SAS web application accesses another
application, it uses the internal connection. When a user is redirected to a URL (for
example, SAS Logon Manager redirecting to SAS BI Dashboard), then the external
connection information is used.
Changing Connection Properties
The Internal Connection tab in the properties dialog box for SAS applications enables
you to modify the parameters for connecting to a SAS web application. The selections
that are displayed on the tab determine the URL that is used to access the application's
resources or services.
The following display shows the internal connection information for SAS BI Dashboard
properties.
78 Chapter 7 / Administering the SAS Web Infrastructure Platform
Display 7.6 Internal Connection Tab for BI Dashboard Properties
If a SAS web application is moved to a different machine (and you are not using SAS
Web Server), you must modify the connection information. If you configured SAS Web
Server manually for HTTPS, you must change the protocol.
Changing the values for the Host Name, Port, or Service fields on the tab enables the
SAS Web Application Infrastructure Platform to redirect clients to the proper locations in
a custom environment. For the host name, you can supply an IP address. If you enter
an IP version 6 address, you must enclose the address in brackets.
For example: [FE80::202:B3FF:FE1E:8329]
Changing External Connection Properties
If your site changes its configuration after initial deployment, you might need to edit the
external connection information parameters. One example is adding a third-party
product to the network, such as IBM Tivoli Access Manager WebSEAL or CA
SiteMinder. In this case, you must route connections through the proxy. These changes
must be made on the External Connection tab.
Specifying Connection Properties
Display 7.7 External Connection Tab for BI Dashboard Properties
Clear the Use internal connection information check box and then enter the
connection information for the proxy.
In any environment where the internal and external connection information must differ
due to different access rules, you must specify the following JVM option for SAS Web
Application Server:
-Dsas.retry.internal.url=true
See Also
“Specifying JVM Options” on page 49
79
80 Chapter 7 / Administering the SAS Web Infrastructure Platform
Configuring Auditing for SAS Web
Applications
Overview of Auditing
SAS web applications and other SAS middle-tier services provide auditing features.
Depending on the application and its configuration, these auditing features can record
all actions performed both by the direct users of the system and by the system itself.
Some applications might provide a more complete audit, detailing not only the actions
that are performed but also the states of the objects that are affected by those actions.
Log on, log off, and unsuccessful log on attempts create audit records for all
deployments. Additional actions that can be audited for SAS Web Infrastructure
Platform are described in this section. If a SAS solution is installed, see the solution
documentation for information about additional actions that can be audited.
Audit Record Storage
Audit records are stored in the SAS Web Infrastructure Platform database. These audit
records are stored in two relational tables, SAS_AUDIT and SAS_AUDIT_ENTRY. Two
additional tables, SAS_AUDIT_ARCHIVE and SAS_AUDIT_ENTRY_ARCHIVE, provide
archival audit data.
Do not access the tables directly for audit reporting. The SAS Web Administration
Console provides an interface for viewing log on, log off, unsuccessful log on attempts,
and last user logon information.
Depending on the auditing configuration of the deployed SAS applications, audit records
can contain different types of audit information. However, all audit records contain the
following information:
n
user ID that performed the audited action.
n
action that occurred. This is stored as an action code.
n
data and time that the audited action occurred.
Configuring Auditing for SAS Web Applications
81
Guidelines for Auditing the SAS Middle Tier
The auditing process in the SAS middle tier is designed to be efficient for both
processing time and storage. However, you might want to limit the number of audited
events to minimize any effect on performance and minimize the size of the audit trail.
The SAS middle tier auditing features provide the tools to help you balance the need to
gather sufficient security or historical records with the ability to store and process it.
Consider these guidelines to make efficient use of the SAS middle tier auditing features:
n
Evaluate the purpose of auditing an action. Make sure that records for an audited
action can be used to serve a business purpose.
n
When auditing for security, audit generally and then audit specifically. Analyze the
records from general audit options to provide the basis for targeting specific audited
actions.
n
When auditing for historical information, audit for actions that are important to your
business only. Avoid cluttering valuable audit records with less relevant audited
actions. Narrowing the focus to valuable actions also reduces the amount of audit
trail administration.
n
Align the audit requirements to the most strictly regulated application. If your SAS
deployment includes a number of SAS applications, the applications might have
varying requirements. Make sure that the audited actions match the most strictly
regulated application.
When auditing is enabled and audit records are generated, the audit trail size increases
according to two factors:
n
the number actions that are enabled for auditing
n
how frequently the audited actions are performed
If the SAS Web Infrastructure Platform database becomes completely full and audit
records cannot be inserted, the audited actions cannot be successfully executed until
the audit trail is purged. The system administrator must control the rate of increase and
size of the audit trail. To control the size of the audit trail, consider the following
strategies:
82 Chapter 7 / Administering the SAS Web Infrastructure Platform
n
Be selective about which actions are enabled for auditing. If the number of audited
actions is reduced, then unnecessary and useless audit records are not generated
and are not stored in the audit trail.
n
Design archive rules to move important, but not critically important, information out
of the audit trail. This process archives the audit records of interest and removes
them from the main audit table. For information about archiving, see “Archive
Process for Audit Records” on page 83.
n
Purge the audit archive tables as needed.
Enable Auditing for Additional Services
All SAS products that include the SAS Web Infrastructure Platform provide audit records
for logon, log off, and unsuccessful log on attempts. Other standard services can also
be audited:
n
mail service
n
content service
n
job execution service
n
workspace service
n
scheduling service
n
impersonation service
To enable auditing for any of these services, follow these steps:
1 Edit the
SASHOME\SASWebInfrastructurePlatform\9.4\Static\wars
\sas.wip.services\WEB-INF\spring-config\aop-config.xml file.
2 Review the comments to locate the service that you want to audit. Each of the
services is commented out in the initial deployment. The following example shows
the job execution service:
<!-- Job Execution Service auditing
<bean class="com.sas.svcs.aop.auditing.jes.SuccessfulSubmitJobAuditAdvice">
Configuring Auditing for SAS Web Applications
83
<property name="auditRecorder" ref="auditService" />
</bean>
3 Add closing comment markup and then remove the original closing comment
markup (––>) from the bottom of the code block. Save your changes.
4 Rebuild the SAS Web Infrastructure Platform with the SAS Deployment Manager.
Note: Subsequent upgrade activities can overwrite this file. For example, if you later
install a maintenance release that includes aop-config.xml, then you must repeat
this procedure.
5 Redeploy the SAS Web Infrastructure Platform Services web application
(sas.wip.services9.4.ear).
Enabling auditing for other SAS applications requires editing different files, but the steps
are similar to the previous procedure. For example, auditing for SAS Workflow is
controlled with the SASHOME\SASWebInfrastructurePlatform\9.4\Static
\wars\sas.workflow\WEB-INF\spring-config\aop-config.xml file.
Archive Process for Audit Records
Once the audit features are enabled, records are added to the SAS_AUDIT and
SAS_AUDIT_ENTRY tables. The records can be archived to the
SAS_AUDIT_ARCHIVE and SAS_AUDIT_ENTRY_ARCHIVE tables. An archive job is
used to control which records to archive. The archive job reads the archive rules in the
SAS_AUDIT_ARCHIVE_RULE table. The archive job always starts when SAS Web
Infrastructure Platform Services starts. In addition, the default archive job is scheduled
to start every Monday at the start of day, but the archive job schedule can be
configured.
84 Chapter 7 / Administering the SAS Web Infrastructure Platform
The following table describes the columns in table SAS_AUDIT_ARCHIVE_RULE.
Rows must be added to this table to identify the objects, actions, and age for the archive
job to process.
Table 7.3
SAS_AUDIT_ARCHIVE_RULE Column Description
Column Name
Description
OBJECT_TYPE_ID
Object type. Each object type is assigned an ID in table
SAS_TYPE_OBJECT.
ACTION_TYPE_ID
Type of change. Each action type is assigned an ID in table
SAS_TYPE_ACTION.
FREQUENCY_NO
A numeric value in milliseconds. Records that meet the
criteria for OBJECT_TYPE_ID and ACTION_TYPE_ID, and
are also older than this value, are archived.
To control the archive job schedule, you can add a JVM option to SAS Web Application
Server. The -Dsas.audit.archive.cron JVM option can be used to specify the
schedule. The schedule is set with a syntax that is similar to cron:
-Dsas.audit.archive.cron="second minute hour day_of_month month day_of_week"
The following example schedules the archive job to run each day at midnight:
-Dsas.audit.archive.cron="0 0 0 * * *"
You can confirm the archive job runs and reads the archive rules by adding a logging
context to com.sas.svcs.audit at the INFO level.
The following table identifies the common object types and actions that you might want
to include in the SAS_AUDIT_ARCHIVE_RULE table:
Table 7.4
Common Audit Object Types and Actions
Audit Action
Object Type ID Value
Action Type ID Value
User log on
-1
8
User log off
-1
9
Configuring Auditing for SAS Web Applications
Audit Action
Object Type ID Value
Action Type ID Value
Sent E-mail
-1
44
Add job
11
0
Submit job
10
3
Retrieve job
11
45
Cancel job
10
47
Release job
10
48
Update job
11
1
Remove job
11
37
Start scheduled job
86
3
Remove scheduled job
86
37
85
Purging Audit Records
After auditing has been enabled for some time and the audit archive process runs, you
might want to delete records from the SAS_AUDIT_ARCHIVE and
SAS_AUDIT_ENTRY_ARCHIVE tables. Purging records that are no longer needed
recovers some archival space and facilitates better audit trail management. For
information about deleting records from the SAS Web Infrastructure Platform database,
see the documentation for the database.
86 Chapter 7 / Administering the SAS Web Infrastructure Platform
Using the SAS Web Administration
Console
About the SAS Web Administration Console
The SAS Web Administration Console provides a central location for the following
activities:
n
monitoring information about users who are currently logged on to SAS web
applications
n
viewing audit reports that show user logon and logoff activity and failed logon
attempts
n
performing server maintenance, as a part of system maintenance
n
managing notification templates and letterheads
n
managing authorization, including Web Infrastructure Platform roles and privileges
and web-layer permissions
n
viewing the current configuration for web applications that have been deployed at
your site
SAS Web Administration Console also enables you to access the SAS Content Server
Administration Console, which you can use to manage folders and permissions for the
SAS Content Server. For details, see “Using the SAS Content Server Administration
Console ” on page 144.
Here is the main page of SAS Web Administration Console with the navigation pane
expanded:
Using the SAS Web Administration Console
87
Display 7.8 Main Page in SAS Web Administration Console
Note: Depending on the software that is licensed at your site, your SAS Web
Administration Console might include additional functionality. For more information
about the console at your site, see the administration guides for your applications.
Access the SAS Web Administration Console
To access the SAS Web Administration Console, enter the following URL in your web
browser and substitute the host name and port number of your web application server:
http(s)://server:port/SASAdmin
To use this application, you must log on as someone who is a member of the SAS
Administrators group (for example, sasadm@saspw).
Note: The SAS Content Server Administration Console has its own logon
requirements. For more information, see “Using the SAS Content Server Administration
Console ” on page 144.
88 Chapter 7 / Administering the SAS Web Infrastructure Platform
Monitor Users
About the Users That Appear on the Users Page
The Users page in the SAS Web Administration Console lists the following types of
users:
authenticated users
are users who are currently authenticated on the system.
system users
are system-level users who are required to perform particular tasks, such as running
a stored process or accessing metadata.
Send E-Mail to One or More Users
You can send e-mail to any of the authenticated users who are currently logged on to
SAS web applications. This feature is useful if you want to notify users of an impending
system operation or a system outage.
To send e-mail to users, follow these steps:
1 Select Environment Management  Users in the navigation pane.
2 In the Users pane, select the check box in the last column of the row that contains
the name of an authenticated user.
You can select multiple check boxes in order to send e-mail to several users. To
select all of the check boxes, select the check box in the heading of the last column.
3 Click the action menu
in the heading of the last column, and select Send E-mail.
4 If necessary, enter the e-mail address of the recipient. If you enter more than one
address, separate the addresses with a semicolon.
The e-mail addresses are already listed for users whose addresses are defined in
SAS metadata.
5 Enter the subject and text of the message.
Using the SAS Web Administration Console
89
6 If you have more than one recipient, specify whether you want to send a single
message to all recipients or to send a separate message to each recipient.
7 Click Send.
Viewing Audit Reports
The Audit page enables you to review user logon and logoff activity and the number of
failed logon attempts. You can also search by user ID for a user’s last logon time.
Display 7.9
Audit Reports Page
To search for a user’s last logon time, follow these steps:
1 Select Environment Management  Audit in the navigation pane.
2 In the Audit Reports pane, enter an authenticated user's ID in the text field, and click
Submit Query.
90 Chapter 7 / Administering the SAS Web Infrastructure Platform
Performing Server Maintenance
Overview
Tasks such as making changes to the metadata, restarting a metadata server, restarting
the object spawner, or restarting a web application can be performed safely only when
users are not logged on to applications or when new users are prohibited from logging
on to the applications.
You can use the console to enable session draining for a SAS Web Application Server
instance. This prevents new sessions from being sent to the server instance. You can
use this feature as one step in a sequence of other tasks to prepare the system for
maintenance.
The SAS Web Administration Console cannot stop, pause, or start servers. For
instructions about system maintenance tasks such as stopping, pausing, or starting
servers, see the SAS Intelligence Platform: System Administration Guide.
Enable Session Draining
To enable session draining, follow these steps:
1 Connect to the load balancer manager at http://
saswebserver.example.com/balancer-manager.
Note: By default, the load balancer manager is accessible from the same host as
SAS Web Server. Modify WebServer\conf\extra\httpd-info.conf to enable
connections from other machines.
2 On the load balancer manager page, select the worker URL to drain, enable the
Drain option, and click Submit.
3 In the SAS Web Administration Console, select Environment Management 
Server Maintenance in the navigation pane.
4 On the Server Maintenance page, select the check box for the server to drain
sessions from.
Using the SAS Web Administration Console
91
Note: If a server does not run an application that provides middle-tier services, then
the server is not listed. This is because there is no reason to redirect connections
away from that server.
5 Click the action menu
in the heading of the last column, and select Drain
Sessions.
Existing sessions on the server continue to work, but new sessions are not directed to
the server. You can monitor the progress of session draining with SAS Environment
Manager.
In SAS Environment Manager, monitor the hostname tc Runtime SASServern_m
resource. Use the Views  Application Management page to view the number of
sessions. For more information, see the Help or SAS Environment Manager: User’s
Guide.
Note: The sessions for the SAS BI Dashboard Event Generation application do not
reach zero.
New sessions are accepted once you restart the server instance.
Managing Notification Templates and
Letterheads
About Notifications
Applications that are part of the SAS Web Infrastructure Platform can send event-driven
notifications to users. When an event occurs, the application uses the notification
template that is associated with that event to create an e-mail message and send it to
the appropriate users. SAS Workflow Studio is an example of an application that uses
notifications.
SAS provides standard notification templates for the SAS Web Infrastructure Platform
applications that you have licensed. You can use SAS Web Administration Console to
do the following:
n
customize the wording and format of the standard templates
n
define customized letterheads to be incorporated into notifications
92 Chapter 7 / Administering the SAS Web Infrastructure Platform
n
create new templates and delete existing ones
n
activate a previous version of a notification template or letterhead
Beginning with SAS 9.4, notifications are managed by SAS Content Services.
Create, Edit, Test, or Delete a Notification Template
To create, edit, or test a notification template, follow these steps:
1 Select Environment Management  Notifications  Templates in the navigation
pane.
2 On the Notification Templates page, select the locale in which you want to work.
3 If you want to create a new template, click the plus icon (+) above the table. In the
New Template window, enter a name and an optional description. Click Save.
4 On the Notification Templates page, click the name of the new template (or click the
name of an existing template that you want to edit or test).
5 On the Edit page, you can do the following:
n
Activate a previous version of the template. See “Activate a Previous Version of a
Notification Template or Letterhead” on page 94.
n
Edit the subject line (for HTML and text formats only).
n
Edit the template body in the HTML, text, and Short Message Service (SMS)
formats, as needed.
n
Specify a letterhead to be incorporated into the notification (for HTML and text
formats only).
n
Click Preview to verify that the notification appears as it is expected.
n
Click Send Test Notification to send a test notification. If the template includes
merge variables (substitution variables), they are listed in the Send Test E-mail
dialog box. To test the appearance of these variables, you can enter sample
values in the Placeholder Value column.
Using the SAS Web Administration Console
93
When you click Send in the dialog box, the e-mail is sent to the account that you
used to log on to SAS Web Administration Console. (If your account is not
associated with an e-mail address, you can specify the address by using User
Manager in SAS Management Console.) If the template includes content in both
HTML and text format, you will receive two messages.
6 Click Save on the Edit page to save any changes that you have made. The version
number is automatically updated, and the new version is automatically set as the
active version.
If you need to delete a notification template, select the appropriate locale on the
Notification Templates page. Then select the check box for the appropriate letterhead,
and click the minus icon (-) above the table.
Note: You should not delete the templates that are provided by SAS.
Create, Edit, or Delete a Notification Letterhead
You can further customize your notifications by adding a letterhead. SAS provides one
standard letterhead that you can modify, or you can create your own. To create or edit a
letterhead, follow these steps:
1 Select Environment Management  Notifications  Letterheads in the
navigation pane.
2 On the Notification Letterheads page, select the locale in which you want to work.
3 If you want to create a new letterhead, click the plus icon (+) above the table. In the
New Letterhead window, enter a name and an optional description. Click Save.
4 On the Notification Letterheads page, click the name of the new letterhead (or click
the name of an existing letterhead that you want to edit).
5 On the Edit page, you can do the following:
n
Activate a previous version of the letterhead. See “Activate a Previous Version of
a Notification Template or Letterhead” on page 94.
n
Enter (or modify) the content for either or both of the available formats (HTML
and text).
94 Chapter 7 / Administering the SAS Web Infrastructure Platform
n
Click Preview to verify that the letterhead content appears as expected.
6 Click Save when you are finished. If you edited an existing letterhead, the version
number is updated and the new version is automatically set as the active version.
You can now associate the letterhead with a notification template and then preview or
test the template to verify its appearance. See “Create, Edit, Test, or Delete a
Notification Template” on page 92.
If you need to delete a notification letterhead, select the appropriate locale on the
Notification Letterheads page. Then select the check box for the appropriate letterhead,
and click the minus icon (-) above the table.
Activate a Previous Version of a Notification Template or
Letterhead
To activate a previous version of a notification template or letterhead, follow these
steps:
1 Open the template or letterhead for editing, as described in the preceding topics.
2 On the Edit page, use the drop-down box to select the version that you want to
activate. Then click Activate as new version.
The newly activated template or letterhead is saved with an updated version
number.
3 Click Cancel to exit the Edit page.
Managing Web Infrastructure Platform
Privileges and Roles
About Web Infrastructure Platform Privileges and Roles
Some SAS applications (such as SAS Workflow Studio) use Web Infrastructure
Platform privileges and roles to control the availability of features to users and groups.
A privilege represents a specific action in an application. Privileges can affect the
visibility of certain application features (such as menu items, tabs, and buttons) to users.
Using the SAS Web Administration Console
95
A role is a collection of privileges. Administrators grant privileges to users or groups by
making them members of roles.
There is no order of precedence for privileges. A user has a privilege if he or she is a
member of any role that provides that privilege.
Several predefined roles are provided in a new deployment. For example, the ADMIN
role makes the authorization tasks visible in SAS Web Administration Console. The
SAS Administrative User is the only initial member of the ADMIN role. Other predefined
roles are provided for specific applications. For information about those roles, see the
application’s administration documentation.
Note: The Web Infrastructure Platform roles and privileges are separate and distinct
from the metadata-layer roles and capabilities that are administered in SAS
Management Console.
Assign One or More Roles to a User or Group
To assign one or more roles to a user or a group, follow these steps:
1 Select Environment Management  Authorization  Assign Roles in the
navigation pane.
2 On the Principal Type page, select Users or Groups. Click Next.
3 On the Choose Principal page, select the user or group to which you want to assign
roles. The drop-down list displays users and groups that are registered in SAS
metadata. After making a selection, click Next.
4 On the Choose Roles page, select the check box for each role that you want to
assign to the user or group. To remove a role assignment, clear the check box.
5 Click Finish to save your changes.
Use Bulk Assign to Assign a Role to Multiple Users or Groups
You can use the bulk assign feature to assign a single role to multiple users or groups.
Follow these steps:
96 Chapter 7 / Administering the SAS Web Infrastructure Platform
1 Select Environment Management  Authorization  Bulk Assign a Role in the
navigation pane.
2 On the Choose Role page, select the role that you want to assign, and click Next.
3 On the Choose Identities page, select the check box for each user and group to
which the role is to be assigned. To remove the role assignment from a user or
group, clear the check box.
TIP You can select the Groups link at the top of the page to move quickly to the
list of groups.
4 Click Finish to save your changes.
Edit a Role’s Privileges
To change the privileges that are assigned to a role, follow these steps:
1 Select Environment Management  Authorization  Edit a Role’s Privileges in
the navigation pane.
2 On the Choose Role page, select the role whose privileges you want to edit, and
click Next.
3 On the Choose Privileges page, select the check box for each privilege that is to be
assigned to the role. To remove a privilege, clear the check box.
4 Click Finish to save your changes.
Managing Web-layer Permissions
About Web-layer Permissions
Some SAS applications (such as SAS Workflow Studio) use SAS Content Services to
manage content. Web-layer permissions control users’ access to the folders and
documents that make up this content. Five permissions are supported: Read, Write,
Create, Delete, and Administer. Not all permissions are applicable to all objects. For
Using the SAS Web Administration Console
97
information about how a particular application uses these permissions, see the
administration documentation for the application.
In general, permissions for these folders and documents are managed by the SAS
applications that use them. SAS Web Administration Console enables administrators to
review the permissions and, as necessary, to update them. You should use SAS Web
Administration Console to update web-layer permissions only when directed to do so by
SAS Technical Support.
Note: Some SAS applications use the SAS Content Server (instead of SAS Content
Services) to manage content. To manage SAS Content Server permissions, see
“Administering the SAS Content Server” on page 136.
Precedence in Web-layer Permissions
Authorization decisions are based on where web-layer permissions are set and to whom
they are assigned. The precedence principles are as follows:
n
A permission that is set directly on an object has precedence over a permission that
is inherited from a parent object.
n
At any particular level in the object hierarchy, a permission that is assigned to a user
has precedence over a permission that is assigned to a group.
n
If a user has a grant from one group and a denial from another group, the outcome
is a denial.
Applications use the following process to make authorization decisions:
1 Examine any direct access controls on the target object.
a If the requesting user has a direct grant or denial, that determines the outcome.
b If a group to which the requesting user belongs has a direct denial, the outcome
is a denial.
c If a group to which the requesting user belongs has a direct grant (and no
relevant group denial is found), the outcome is a grant.
2 Examine any direct access controls on the object’s immediate parent, following the
same process as in step 1.
98 Chapter 7 / Administering the SAS Web Infrastructure Platform
3 Continue moving up the inheritance hierarchy, parent-by-parent, until a relevant
direct access control is found.
4 If the top of the hierarchy is reached and no relevant access control is found, the
outcome is a denial.
Reviewing and Setting Web-layer Permissions
You can use SAS Web Administration Console to review and update permissions for
folders and documents that are managed by SAS Content Services.
CAUTION! In general, permissions for these folders and documents are
managed by the SAS applications that use them. You should use SAS Web
Administration Console to update permissions only when directed to do so by
SAS Technical Support.
To review or update permissions on a folder or document that is managed by SAS
Content Services, follow these steps:
1 Select Environment Management  Authorization  Permissions in the
navigation pane.
2 The Web Authorization: Access Controls page displays content folders and objects
in a tree format. Click the plus icons to expand the nodes, and use the scroll bars as
needed to view the expanded tree.
3 Click the folder or object of interest to select it. The Properties section displays the
path, object type, and owner information for the selected folder or object, and the
Direct Access Controls section displays the current permission settings.
4 In the Direct Access Controls section, select the check box to select or clear the
option Child objects can inherit these settings.
5 For each user or group that is displayed, use the drop-down boxes as needed to
modify the permission settings.
6 To specify permissions for additional users or groups, follow these steps:
Using the SAS Web Administration Console
99
a In the first column of the last row of direct access controls, select the appropriate
principal type (User or Group). From the second drop-down box, select the user
or group for which you want to assign permissions. (The drop-down list displays
users and groups that are registered in SAS metadata.) Use the drop-down
boxes in columns three through seven to assign settings for each permission.
b To specify permissions for another user or group, click the plus icon (+) at the
end of the last row. In the new row, select the principal type, the user or group,
and the appropriate permission settings. To specify permissions for more users
and groups, repeat this step as needed.
7 When you are finished, click Save.
Viewing Information about Web Applications
The SAS Web Administration Console provides configuration information about the SAS
web applications that are installed and configured at your site. This information is also
available in SAS Management Console. However, SAS Web Administration Console
enables you to view the information from any machine with a web browser, without the
need to have SAS Management Console installed on the machine.
To display a list of configured web applications, expand the Application Management
node in the navigation pane. When you click the name of an application, the right pane
displays information under the following headings:
Application Settings
displays settings that are currently configured for the application. For example, SAS
Information Delivery Portal settings include the locale that is in use, the location
where portlets are deployed, the e-mail host, and default settings for various user
preferences.
You cannot change any of the application settings here. To change settings, use the
Application Management  Configuration Manager plug-in in SAS Management
Console.
100 Chapter 7 / Administering the SAS Web Infrastructure Platform
Directives
provides the internal direction to the application's URL. This information is used
internally to route applications. You might use this information to troubleshoot
applications under the guidance of SAS Technical Support.
Logging
displays a form that is used to configure logging for applications that are
instrumented for dynamic logging control.
101
8
Administering SAS Web Applications
About SAS Deployment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Rebuilding the SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
When to Rebuild the SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . 103
Rebuild Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Web Application Names and EAR and WAR Files . . . . . . . . . . . . . . . 105
Redeploying the SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
About Redeploying Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Redeploy Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Reconfiguring the Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . 110
Administering Logging for SAS Web Applications . . . . . . . . . . . . . . 111
Logging for SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Change the Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Changing the Authorization Requirement for
Changing Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Change the Location of the Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
About SAS Deployment Manager
The SAS Deployment Manager enables a SAS administrator to perform the following
tasks that are typical for the middle tier:
102 Chapter 8 / Administering SAS Web Applications
n
Rebuild Web Applications. You can rebuild web applications that have previously
been configured but whose configuration has changed. This option rebuilds the web
application based on the current configuration. See “Rebuilding the SAS Web
Applications” on page 103.
n
Redeploy Web Applications. You can redeploy web applications that have rebuilt.
See “Redeploying the SAS Web Applications” on page 107.
n
Remove the existing configuration. You can remove the product configuration for
one or more products in the deployment. This option enables you to remove the
product configuration for an application that you are no longer using or that you are
moving to another machine. You can then use the SAS Deployment Wizard to
reinstall or reconfigure the application. For details, see “Removing a SAS
Configuration” in the SAS Intelligence Platform: Installation and Configuration Guide.
Note the following about removing a configuration:
o
Installed products are not removed.
o
If you remove the configuration for the SAS Information Delivery Portal, do not
select the Remove all User Content option unless you have made a backup
copy of the content repository. If you choose this option, you must re-create the
content later from your backup. When you choose to remove portal content, all
pages, portlets, and other items created by the users are removed.
o
If you remove the configuration for the Web Infrastructure Platform, the contents
of the SAS Content Server repository (located in the SAS-config-dir
\Lev1\AppData\SASContentServer\Repository directory) are not
deleted. If you do not need the contents of this directory, you should manually
delete the contents before rebuilding the Web Infrastructure Platform with the
SAS Deployment Manager.
Access the SAS Deployment Manager by running the SAS-install-dir
\SASDeploymentManager\9.4\sasdm.exe command. On UNIX and z/OS
operating environments, the command is sasdm.sh.
Rebuilding the SAS Web Applications
103
Rebuilding the SAS Web Applications
When to Rebuild the SAS Web Applications
The Rebuild Web Applications option of the SAS Deployment Manager provides an
automated way to rebuild the web applications that are deployed in your environment.
You should rebuild the web applications in the following situations:
n
You might need to rebuild applications that you have reconfigured. For example, if
you change the HTTP time-out interval for an application, then you should rebuild
the application.
Note: This administration guide informs you when an application must be rebuilt
after reconfiguration.
n
Rebuild an application after you change the Java security configuration for the
application.
n
If a custom theme is created for your organization, then rebuild the SAS Web
Application Themes.
n
If custom content is created, then add files to the WAR directory and rebuild the
application to which the custom content applies. For example, to create custom
forms for SAS Stored Process, place the file for the EAR or the WAR in the SASconfig-dir\Lev1\Web\Common
\SASServer1\SASStoredProcess9.4\CustomContent\ears
\sas.storedprocess\input directory. Then, use the SAS Deployment Manager
to rebuild the SAS Stored Process application.
n
If custom portal content is created, such as a custom portlet, then rebuild the SAS
Information Delivery Portal. For more information, see “Rebuild Web Applications”
on page 104.
n
Rebuild SAS Help Viewer for Midtier Applications after your initial deployment if you
install or upgrade a SAS web application that offers online Help. (SAS Help Viewer
104 Chapter 8 / Administering SAS Web Applications
for Midtier Applications combines SAS Help Viewer for the Web software with
various help content into its EAR file.)
The following web applications use SAS Help Viewer for Midtier Applications:
n
o
SAS Information Delivery Portal Help
o
SAS Web Report Studio Help
o
SAS Web Report Viewer Help
o
SAS BI Dashboard Help
o
SAS Comment Manager Help
After installing a maintenance release or hot fixes, rebuild the web applications that
were updated at your site. Follow the instructions in the maintenance documentation
or the hot fix instructions. Because the web applications are rebuilt, you might lose
any customizations that you added after the initial deployment.
Rebuild Web Applications
The Rebuild Web Applications option in the SAS Deployment Manager enables you to
rebuild one or more web applications. The rebuild process updates two directories for
each rebuilt web application:
n
SAS-config-dir\Lev1\Web\Staging. An EAR or WAR file for each rebuilt
application is placed in this directory.
The approximate size of the collection of applications for SAS Enterprise Business
Intelligence is 4 GB.
n
SAS-config-dir\Lev1\Web\Staging\exploded. An exploded version of each
rebuilt application is placed in this directory.
Note: You can delete any unwanted directories in the exploded directory to save
disk space.
To rebuild one or more web applications, follow these steps:
1 The web application server can be running or stopped.
Rebuilding the SAS Web Applications
105
2 Make sure that the SAS Metadata Server is running.
3 Start the SAS Deployment Manager.
4 Select Rebuild Web Applications and click Next.
5 Specify the configuration directory and the level (for example, Lev1) on the Select
Configuration Directory/Level page. Click Next.
6 Enter the user ID and password for an unrestricted administrative user (for example,
sasadm@saspw) on the Specify Connection Information page. Click Next.
7 Select the check boxes for the web applications that you want to rebuild and click
Next.
8 Review the Summary page and click Start. The SAS Deployment Manager builds
the files for the selected applications. For the names and location of the files, see
“Web Application Names and EAR and WAR Files” on page 105.
9 If you are rebuilding theme content, you might need to stop and restart the web
application server as follows.
If SAS Web Application Themes is deployed to the web application server, then the
first time a custom theme is deployed, the web application server must be stopped
and restarted. Any subsequent modifications to the custom theme do not require a
restart of the web application server unless the theme descriptors have been
changed.
After rebuilding the web applications, the next action is typically to redeploy them. See
“Redeploying the SAS Web Applications” on page 107.
Web Application Names and EAR and WAR
Files
The files for the SAS web applications are stored in the following directories:
n
SAS-config-dir\Lev1\Web\Staging
n
SAS-config-dir\Lev1\Web\Staging\exploded
106 Chapter 8 / Administering SAS Web Applications
When the SAS Deployment Manager is used to rebuild a web application, the files for
the web application in the previous directories are overwritten. The following table
identifies the product configuration name that is used in the SAS Deployment Manager
for the web applications that are part of the SAS Enterprise Business Intelligence
Server. Use this table to understand which web applications and files are updated when
a product configuration is selected in the SAS Deployment Manager.
Table 8.1
Product Configuration, Web Application, and Filenames
Product
Configuration
Application
Filename
BI Dashboard 4.4
SAS BI Dashboard
sas.bidashboard4.4.ear
BI Portlets 4.4
SAS BI Portlets
sas.biportlets4.4.ear
Environment
Manager Middle Tier
2.1
SAS Environment
Manager
sas.environmentmanager2.1.e
ar
Flex Application
Themes 4.1
SAS Flex Application
Themes
sas.flexthemes4.1.ear
SAS Theme Designer for
Flex
sas.themedesigner4.1.ear
Help Viewer for
Midtier App 9.4
SAS Help Viewer for
Midtier Applications
sas.webdocmd9.4.ear
Information Delivery
Portal 4.4
SAS Information Delivery
Portal
sas.portal4.4.ear
SAS Package Viewer
sas.packageviewer4.4.ear
SAS Web Application
Themes
sas.themes.ear
SAS Themes
Redeploying the SAS Web Applications
Product
Configuration
Web Infrastructure
Platform 9.4
Web Report Studio
4.4
107
Application
Filename
SAS Content Server
sas.wip.scs9.4.ear
SAS Stored Process
sas.storedprocess9.4.ear
SAS Web Administration
Console
sas.wip.admin9.4.ear
SAS Web Infrastructure
Platform Applications
sas.wip.apps9.4.ear
SAS Web Infrastructure
Platform Resources
sas.wip.resources9.4.ear
SAS Web Infrastructure
Platform Services
sas.wip.services9.4.ear
SAS Workflow
sas.workflow9.4.ear
SAS Authorization Service
sas.authorization.services.
war
SAS Identity Services
sas.identity.services.war
SAS Principal Services
sas.principal.services.war
SAS Web Report Studio
sas.webreportstudio4.4.ear
Redeploying the SAS Web Applications
About Redeploying Web Applications
When the SAS Deployment Manager rebuilds SAS web applications, the rebuilt EAR
files are placed in the SAS-config-dir\Lev1\Web\Staging directory. All EAR files
108 Chapter 8 / Administering SAS Web Applications
are placed in a single directory even if your deployment includes multiple web
application servers (for example, SASServer1_1 and SASServer2_1).
If you have web application servers that were installed and configured by the SAS
Deployment Wizard in your environment, make a note of the server names and the web
applications that are installed on each server. For example, if six applications are
located on SASServer1_1 and three applications are located on SASServer2_1, make a
list of the applications that are installed on each of these servers. Alternatively, you can
refer to your Instructions.html file, which specifies the following:
n
the list of web applications to be deployed
n
the location of the applications
n
the web application server where each application should be deployed
When you redeploy the SAS web applications, you can refer to your list or the
Instructions.html file, to ensure that you redeploy each application to the correct
server.
Redeploy Web Applications
Steps to Perform with the SAS Deployment Manager
The SAS Deployment Manager manages the SAS web applications as EAR files but the
applications are deployed as WAR files.
To redeploy one or more web applications, follow these steps:
1 The web application server can be running or stopped.
2 Make sure that the SAS Metadata Server is running.
3 Start the SAS Deployment Manager.
4 Select Deploy Web Applications and click Next.
5 Specify the configuration directory and the level (for example, Lev1) on the Select
Configuration Directory/Level page. Click Next.
Redeploying the SAS Web Applications
109
6 Enter the user ID and password for an unrestricted administrative user (for example,
sasadm@saspw) on the Specify Connection Information page. Click Next.
7 The manager provides a warning that SAS Web Application Server will be stopped.
Be aware that the web applications will not be available while the server is stopped.
Select the Allow the application server to stop check box and click Next.
8 Select the check boxes for the web applications that you want to redeploy and click
Next.
For the names, see “Web Application Names and EAR and WAR Files” on page
105.
9 Review the Summary page and click Start. The SAS Deployment Manager stops the
server, deploys the web applications, and starts the server.
Backups of Previous Web Application Versions
Before the SAS Deployment Manager redeploys a web application, it creates backups
of the existing version and the context file. The backups are as follows:
n
Application backups are in the SAS-config-dir\Levn\Web\WebAppServer
\SASServer1_1\sas_webapps\Backup directory.
n
Context file backups are in the SAS-config-dir\Levn\Web\WebAppServer
\SASServer1_1\conf\Catalina\localhost\Backup directory.
A timestamp is appended to the web application directory and context file to indicate
when the backup was performed. If you frequently redeploy web applications, you can
consume disk space. You can delete backup files that are no longer needed.
Additional Steps for Horizontal Clusters
To redeploy web applications on additional machines in a horizontal cluster, follow
these steps:
1 Stop the SAS Web Application Server instances on the additional machines.
2 Copy the updated application EAR and WAR files from the primary machine to the
staging directory on the additional machines.
110 Chapter 8 / Administering SAS Web Applications
The staging directory is typically SAS-config-dir\Levn\Web\Staging.
3 Use the appsrvconfig command on each additional machine to undeploy and
redeploy the web applications:
appsrvconfig.cmd -e run undeploy application application-name server SASServer1
appsrvconfig.cmd -e run deploy application application-name server SASServer1
The command is located in the SAS-config-dir\Levn\Web\Scripts
\AppServer directory. On UNIX deployments, the command is
appsrvconfig.sh. For more information, see “SAS Configuration Scripting Tools”
on page 301.
4 Start the SAS Web Application Server instances on the additional machines.
5 Restart SAS Web Server.
Reconfiguring the Web Application
Server
Reconfigure your web application server when any of the following conditions apply:
n
A new SAS web application is added to your deployment.
n
A web application is unconfigured and reconfigured.
n
A software bundle is added to an existing configuration.
It is important to reconfigure your web application server in the same manner that it was
initially configured. If you manually configured SAS Web Application Server when you
initially deployed, then configure it manually again. If the SAS Deployment Wizard
automatically configured your web application server, then choose the automatic
configuration option again.
If the environment was initially configured with the Web Application Server: Multiple
Servers option in the SAS Deployment Wizard, then reconfigure SAS Web Application
Server by using the Custom path in the SAS Deployment Wizard and selecting the Web
Administering Logging for SAS Web Applications
111
Application Server: Multiple Servers again. Reconfiguring SAS Web Application
Server can cause the loss of some customizations, and they need to be reapplied.
For more information, see “Managing Your SAS Deployment” in the SAS Intelligence
Platform: Installation and Configuration Guide.
Administering Logging for SAS Web
Applications
Logging for SAS Web Applications
The SAS web applications use log4j to perform logging. As each web application begins
running, the log4j configuration file for the application is read from SAS-config-dir
\Lev1\Web\Common\LogConfig. After the log4j configuration file is read, the
applications that permit dynamic logging changes check for modifications that were set
with the SAS Web Administration Console.
The following table identifies if customizations can be performed by editing the log4j
configuration file, using dynamic logging changes, or both:
Task
Change the logging levels.
Add a logging category.
Changes persist after web application server restarts.
Add or change an appender to log to console, file,
socket, or ARM.
Change a log filename or location.
Log4j
Configuration
File
Dynamic
Logging
Changes
112 Chapter 8 / Administering SAS Web Applications
Task
Log4j
Configuration
File
Dynamic
Logging
Changes
Change the layout pattern for the log message.
Track user logons. You can monitor usage patterns by
logging activity for SAS web application logons.
For information about the log4j configuration file, see http://logging.apache.org/log4j/
index.html and http://logging.apache.org/log4j/1.2/manual.html.
Logging categories use the fully qualified class name of the class where the logging
message originates. Categories for the following classes are common to all SAS web
applications:
n
com.sas
n
com.sas.services
n
com.sas.services.deployment
n
com.sas.services.discovery
n
com.sas.services.util
Change the Logging Levels
Logging Level Descriptions
Log4j files offer many levels of logging detail. Enabling a level also enables the less
detailed levels above the selected level. The default level is set to WARN, which means
that WARN, ERROR, and FATAL messages are recorded. In large-scale deployments,
the size of the log file can grow rapidly when INFO messages are enabled. However,
you might want to enable the INFO messages during the development and testing
phases.
CAUTION! Excessive logging can degrade performance. Therefore, you should
not use the DEBUG level unless you are directed to do so by SAS Technical
Support.
Administering Logging for SAS Web Applications
113
If you need to debug a problem, it is recommended that you dynamically change the log
output temporarily.
Here is a brief description of each level:
ALL
enables all logging.
TRACE
displays finer-grained informational events than DEBUG.
DEBUG
displays the informational events that are most useful for debugging an application.
INFO
displays informational messages that highlight the progress of the application.
WARN
displays potentially harmful situations.
ERROR
displays error events that might allow the application to continue to run.
FATAL
displays very severe error events that might cause the application to end
abnormally.
OFF
disables all logging.
Using log4j Files
To modify the logging level by editing the log4j files, follow these steps:
1 Change directory to SAS-config-dir\Lev1\Web\Common\LogConfig and edit
the log4j file for the application to modify.
2 Locate the category for the class that you want to modify and modify the value of the
priority parameter:
<category
additivity="false"
name="com.sas.workflow">
114 Chapter 8 / Administering SAS Web Applications
<priority
value="WARN"/>
<appender-ref
ref="SAS_CONSOLE"/>
<appender-ref
ref="SAS_FILE"/>
</category>
3 Restart the web application so that it uses the new configuration.
Applications That Support Dynamic Logging
The following applications support dynamic logging changes. The name in the left
column can be found in the SAS Web Administration Console. The right column shows
the context root and path for the URL to the logging control console.
Table 8.2
Dynamic Logging
Name in Web Administration Console
Context Root for Logging Control Console
Not available
SASAdmin/admin/Logging
Not available
SASAuthorizationServices/admin/Logging
Not available
SASIdentityServices/admin/Logging
Not available
SASPrincipalServices/admin/Logging
BI Web Services for Java 9.4
SASBIWS/admin/Logging
Logon Manager 9.4
SASLogon/admin/Logging
Notification Template Editor 9.4
SASTemplateEditor/admin/Logging
Preferences Manager 9.4
SASPreferences/admin/Logging
SAS Deployment Backup and Recovery Tool
9.4
SASDeploymentBackup/admin/Logging
Shared Applications 9.4
SASSharedApps/admin/Logging
Stored Process Web App 9.4
SASStoredProcess/admin/Logging
Administering Logging for SAS Web Applications
115
Name in Web Administration Console
Context Root for Logging Control Console
Web Infra Platform Permission Manager 9.4
SASPermissionManager/admin/Logging
Web Infra Platform Services 9.4
SASWIPServices/admin/Logging
Web Infra Platfrm ClntAccss 9.4
SASWIPClientAccess/admin/Logging
Web Infra Platfrm Soap Svcs 9.4
SASWIPSoapServices/admin/Logging
Web Report Studio 4.4
SASWebReportStudio/admin/Logging
Workflow Services 9.4
SASWorkflowServices/admin/Logging
Workflow Web Services 9.4
SASWorkflowWebServices/admin/Logging
Using SAS Web Administration Console
The applications that support dynamic logging control from the console are listed in
“Applications That Support Dynamic Logging”.
To configure logging with SAS Web Administration Console:
1 Log on to SAS Web Administration Console.
2 Expand Application Management and then select the web application.
3 Expand the Logging section.
Note: The first time you expand this section, it might indicate that logging
configuration management is not enabled for the application. The applications can
require one minute to refresh and display the control console.
4 Select the radio button for the class and logging level that you want to change.
5 Click Submit Changes. The change takes effect immediately. You do not need to
restart the web application.
116 Chapter 8 / Administering SAS Web Applications
Accessing the Logging Control Console
The logging control console that is displayed in the Logging subsection of the SAS
Web Administration Console can also be accessed directly from the application.
Open a web browser and enter a URL that is similar to the following example:
http://hostname.example.com/SASBIWS/admin/Logging
The list of applications and the context that you need to specify are listed in
“Applications That Support Dynamic Logging”.
Changing the Authorization Requirement for
Changing Logging Levels
To accommodate changing logging levels for some of the applications that support
dynamic logging control without restarting the middle tier, you can change a parameter
that controls security. The parameter can be used to enable or disable the authorization
requirement.
The default value is to require authorization.
To change the security setting, follow these steps:
1 Edit one or more of the following XML files:
n
SASServer1_1\sas_webapps\sas.authorization.services.war\WEBINF\web.xml
n
SASServer1_1\sas_webapps\sas.wip.services.war\WEB-INF\web.xm
n
SASServer1_1\sas_webapps\sas.identity.services.war\WEB-INF
\web.xml
n
SASServer1_1\sas_webapps\sas.svcs.logon.war\WEB-INF\web.xml
n
SASServer1_1\sas_webapps\sas.principal.services.war\WEB-INF
\web.xml
2 Locate the logging servlet section and set the applySecurity parameter:
<servlet>
<servlet-name>logging</servlet-name>
Administering Logging for SAS Web Applications
117
<servlet-class>
com.sas.svcs.webapp.servlet.http.LoggingAdminServlet
</servlet-class>
<init-param>
<param-name>applySecurity</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
3 Restart SAS Web Application Server.
If you made a change and want it to persist when applications are rebuilt and
redeployed, then make the same change in the web.xml.orig file for the application. See
the following list for the locations of the files.
n
SASHOME\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.authorization.services\WEB-INF\web.xml.orig
n
SASHOME\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.wip.services\WEB-INF\web.xml.orig
n
SASHOME\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.principal.services\WEB-INF\web.xml.orig
n
SASHOME\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.identity.services\WEB-INF\web.xml.orig
n
SASHOME\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.svcs.logon\WEB-INF\web.xml.orig
Change the Location of the Log Files
To modify the location of a log file, follow these steps:
1 Change directory to SAS-config-dir\Lev1\Web\Common\LogConfig and edit
the log4j file for the application to modify.
2 Locate the file appender and modify the value of the file parameter:
<appender
class="org.apache.log4j.FileAppender"
name="SAS_FILE">
118 Chapter 8 / Administering SAS Web Applications
<param
name="append"
value="true"/>
<param
name="file"
value="C:/SAS/Config/Lev1/Web/Logs/SASLogon9.4.log"/>
<layout
class="com.sas.svcs.logging.CustomPatternLayout">
<param
name="ConversionPattern"
value="%d [%t] %-5p [%u] %c - %m%n"/>
</layout>
</appender>
TIP The CustomPatternLayout that is provided by SAS accepts the log4j
conversion characters and two conversion characters that are added by SAS. The
%u conversion character is used to report the client identity that is in the security
context. The %s conversion character is used to report the session identifier that is
in the security context. The log4j conversion characters are described at http://
logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayout.html.
3 Restart the web application so that it uses the new configuration.
119
9
Administering SAS Logon Manager
About SAS Logon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Customizing Log On, Log Off, and Time Out Messages . . . . . . . . 120
Step 1: Customize the Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Step 2: Configure SAS Application Infrastructure . . . . . . . . . . . . . . . . 121
Step 3: Rebuild and Redeploy SAS Web
Infrastructure Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Step 4: Back Up the Customized Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Displaying a Warning Message for Inactive User Sessions . . . . 122
Understanding Inactive Users and Time-out Warnings . . . . . . . . . . 122
Step 1: Configure the SAS Application Infrastructure . . . . . . . . . . . . 123
Step 2: Set the Interval for the Inactive Session Warning . . . . . . . 123
Step 3: Enable the Inactive Session Warning . . . . . . . . . . . . . . . . . . . . . 124
Configuring the HTTP Session Time-out Interval . . . . . . . . . . . . . . . . 124
Configuring the Global Single Sign-On Time-out Interval . . . . . .
Understanding the Time-out Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Considerations for Changing the Time-out Interval . . . . . . . . . . . . . .
Specifying a Different Time-out Interval . . . . . . . . . . . . . . . . . . . . . . . . . . .
129
129
129
130
Configuring Middle Tier Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . 130
Disabling Concurrent Logon Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
120 Chapter 9 / Administering SAS Logon Manager
About SAS Logon Manager
The SAS Logon Manager is a web application that handles all authentication requests
for SAS web applications. As a result, users see the same logon page when they
access the SAS web applications.
The purpose of the SAS Logon Manager is to authenticate and direct a successful logon
to the appropriate web application. The application also serves as the central point for
handling changes to authentication mechanisms, such as the addition of Windows SSPI
or third party single sign-on products.
When a user successfully authenticates to SAS Logon Manager, the user receives a
global single sign-on session. This is introduced in the SAS 9.4 release. The global
single sign-on session enables the user to access all the SAS web applications that the
user is authorized to use, without a credential challenge for each web application. The
global single sign-on time-out is independent of the web application time-out interval.
For more information, see the Log user off on timeout policy in Configuring Middle
Tier Security Policies.
Customizing Log On, Log Off, and Time
Out Messages
Step 1: Customize the Message
You can configure a customized message that is displayed when users of SAS web
applications log on, log off, or the session reaches the time out interval. To enable the
display of a custom message, follow these steps:
1 In the SASHOME\SASWebInfrastructurePlatform\9.4\Static\wars
\sas.svcs.logon\WEB-INF\view\jsp\default\ui directory, edit the files
that you want to change:
n
logon_custom.jsp
Customizing Log On, Log Off, and Time Out Messages
n
logoff_custom.jsp
n
timeout_custom.jsp
121
Each file is included as part of an HTML page. Therefore, each should contain valid
HTML code.
2 Save your changes.
Step 2: Configure SAS Application
Infrastructure
1 Log on to SAS Management Console.
2 On the Plug-ins tab, select Application Management  Configuration Manager,
right-click SAS Application Infrastructure, and select Properties.
3 Click the Settings tab.
4 Select Policies in the left pane.
5 Set any or all of these properties to Yes:
n
Display custom logon message
n
Display custom logoff message
n
Display custom timeout message
Click OK.
6 Exit from SAS Management Console.
Step 3: Rebuild and Redeploy SAS Web
Infrastructure Platform
1 Rebuild the SAS Web Infrastructure Platform with the SAS Deployment Manager.
122 Chapter 9 / Administering SAS Logon Manager
2 Redeploy the SAS Web Infrastructure Platform with SAS Deployment Manager.
(Stop SAS Web Application Server before performing the redeploy.)
3 Verify that the custom logoff message is displayed when you log on and log off from
the web application.
Step 4: Back Up the Customized Files
Back up the customized files from the SASHOME\SASWebInfrastructurePlatform
\9.4\Static\wars\sas.svcs.logon\WEB-INF\view\jsp\default\ui
directory.
If a maintenance release is applied to the system, those files are overwritten and your
changes are lost. After applying a maintenance release, restored the customized files.
Displaying a Warning Message for
Inactive User Sessions
Understanding Inactive Users and Time-out
Warnings
Inactive users are directed to a time-out page when their sessions are inactive for 30
minutes or for the amount of time specified by the administrator in the web.xml files.
(You can change this behavior to log users off instead by setting the Log user off on
timeout policy.)
Before being directed to the time-out page, you can alert users about the impending
time-out by displaying a warning message. When the warning message is displayed,
users can click the Continue button to activate and extend their sessions. The following
applications support the display of a warning message:
n
SAS Web Report Studio
n
SAS Information Delivery Portal
Displaying a Warning Message for Inactive User Sessions
n
SAS BI Dashboard
n
SAS Package Viewer
n
SAS Shared applications
n
SAS Preferences
n
SAS Web Administration Console
n
SAS Stored Process
123
If you want to specify a different session time-out interval for each SAS application,
complete this task for each SAS application by defining the
App.SessionTimeoutWarningInterval property and a custom value in minutes.
Step 1: Configure the SAS Application
Infrastructure
To configure the SAS application infrastructure:
1 Log on to SAS Management Console.
2 On the Plug-ins tab, select Application Management  Configuration Manager,
right-click SAS Application Infrastructure, and select Properties.
3 In the SAS Application Infrastructure Properties dialog box, click the Advanced tab.
Step 2: Set the Interval for the Inactive
Session Warning
This set of steps is optional. If you do not specify a value for the
App.SessionTimeoutWarningInterval, a default value of 5 minutes is used.
To set the interval for the inactive session warning:
1 Click Add to define a new property.
2 Enter App.SessionTimeoutWarningInterval in the Property Name field.
124 Chapter 9 / Administering SAS Logon Manager
3 Enter the number of minutes for the inactive session warning in the Property Value
field and click OK.
Step 3: Enable the Inactive Session Warning
To enable the inactive session warning:
1 Click Add to define another new property.
2 Enter Policy.DisplaySessionTimeoutWarning in the Property Name field.
3 Set the value to true and click OK.
To enable these properties to take effect, restart the web application server.
Configuring the HTTP Session Time-out
Interval
A session time-out interval logs off users' inactive sessions after a specific period of
time that is defined in the web application server configuration. The default value for a
session time-out interval is 30 minutes. You can customize the session time-out interval
for your environment by modifying one or more of the web.xml files, and specifying a
different time-out interval.
Be aware that reaching the time-out limit for an application does not end the user’s
global single sign-on session unless the Log user off on timeout policy is set to Yes.
For more information, see Configuring Middle Tier Security Policies.
To specify a session time-out interval, follow these steps:
1 Use the table that follows this procedure to identify the files to modify.
2 Modify the following code in the appropriate files:
<session-config>
<session-timeout>time-out-interval</session-timeout>
</session-config>
Configuring the HTTP Session Time-out Interval
125
Replace time-out-interval with the time-out interval in minutes. As a
recommendation, the number should be no smaller than 5.
When you are finished, save and close the file.
3 Use the SAS Deployment Manager to rebuild the modified SAS web applications.
4 Use the SAS Deployment Manager to redeploy the modified SAS web applications.
The following table lists the file or files that should be modified to specify a time-out
interval for each web application.
Table 9.1
Files to Modify for the Time-out Interval
Web Application
File Location
SAS Deployment
Backup and
Recovery Tool
SAS-install-dir
\SASDeploymentBackupandRecoveryTool
\9.4\configurable\wars\sas.svcs.admin.backup
\WEB-INF\web.xml.orig
SAS Environment
Manager Middle-Tier
Configuration *
SAS-install-dir\SASEnvironmentManagerMidTier
\9.4\Configurable\wars\sas.admapp.fldmod\WEBINF\web.xml.orig
SAS-install-dir\SASEnvironmentManagerMidTier
\9.4\Configurable\wars\sas.admapp\WEB-INF
\web.xml.orig
SAS Help Viewer for
Midtier Applications
SAS-install-dir\Documentation\9.4\Static\wars
\sas.webdoc\WEB-INF\web.xml
SAS-install-dir\Documentation\9.4\Static\wars
\sas.webdoc\WEB-INF\web.spring-enabled.xml
SAS BI Dashboard
SAS-install-dir\SASBIDashboard\4.4\Configurable
\wars\sas.bidashboard\WEB-INF\web.xml.orig
Event generation
framework in SAS BI
Dashboard
SAS-install-dir\SASBIDashboard\4.4\Configurable
\wars\sas.eventsgenerationframework\WEB-INF
\web.xml.orig
126 Chapter 9 / Administering SAS Logon Manager
Web Application
File Location
SAS BI Portlets
SAS-install-dirSASBIPortlets\4.4\Configurable
\wars\sas.biportlets\WEB-INF\web.xmlthirdparty.orig
SAS-install-dirSASBIPortlets\4.4\Configurable
\wars\sas.biportlets\WEB-INF\web.xml-idp.orig
JSR 168 for SAS BI
Portlets
SAS-install-dirSASBIPortlets\4.4\Configurable
\wars\sas.jsr168remoteportlet\WEB-INF
\web.xml.orig
Flex Themes for
SAS*
SAS-install-dir\SASFlexApplicationThemes
\3.51\Configurable\FlexThemes\wars
\sas.flexthemes\WEB-INF\web.xml.orig
SAS Theme Designer SAS-install-dir\SASFlexApplicationThemes
for Flex
\3.51\Configurable\ThemeDesigner\wars
\sas.themedesigner\WEB-INF\web.xml.orig
SAS Package Viewer
SAS-install-dir\SASInformationDeliveryPortal
\4.4\Configurable\wars\sas.packageviewer\WEBINF\web.xml.orig
SAS Information
Delivery Portal
SAS-install-dir\SASInformationDeliveryPortal
\4.4\Configurable\wars\sas.portal\WEB-INF
\web.xml.orig
SAS BI Web
Services *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.biws\WEB-INF
\web.xml.orig
SAS Preferences *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.preferences\WEB-INF
\web.xml.orig
SAS Shared
Applications *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.shared.apps\WEB-INF
\web.xml.orig
Configuring the HTTP Session Time-out Interval
127
Web Application
File Location
SAS Stored
Process *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.storedprocess\WEBINF\web.xml.orig
SAS Logon
Manager *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.svcs.logon\WEB-INF
\web.xml.orig
SAS Web
Infrastructure
Platform Permission
Manager *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.wip.permissions\WEBINF\web.xml.orig
SAS Content Server*
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.svcs.scs\WEB-INF
\web.xml.orig
SAS Authorization
Services
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars
\sas.authorization.services\WEB-INF
\web.xml.orig
SAS Web
Infrastructure
Platform Client
Access *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.wip.access\WEB-INF
\web.xml.orig
SAS Identity
Services *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.identity.services
\WEB-INF\web.xml.orig
SAS Web
Administration
Console *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.wip.admin\WEB-INF
\web.xml.orig
SAS Notification
Template Editor *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.wip.templateeditor
\WEB-INF\web.xml.orig
128 Chapter 9 / Administering SAS Logon Manager
Web Application
File Location
SAS Principal
Services *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.principal.services
\WEB-INF\web.xml.orig
SAS Web
Infrastructure
Platform Services *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.wip.services\WEB-INF
\web.xml.orig
SAS SOAP
Services *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.wip.soapservices
\WEB-INF\web.xml.orig
SAS Workflow Web
Service *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.workflow.webservice
\WEB-INF\web.xml.orig
SAS Workflow *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.workflow\WEB-INF
\web.xml.orig
SAS Shared Web
Assets *
SAS-install-dir\SASWebInfrastructurePlatform
\9.4\Static\wars\sasweb\WEB-INF\web.xml
SAS Web Report
Studio
SAS-install-dir\SASWebReportStudio
\4.4\Configurable\wars\sas.webreportstudio\WEBINF\web.vfabrictcsvr.xml.orig
*
The session-config element described in Step 2 must be added to the web.xml.orig file for this
application.
Configuring the Global Single Sign-On Time-out Interval
129
Configuring the Global Single Sign-On
Time-out Interval
Understanding the Time-out Interval
The time-out interval for the global single sign-on is different from the HTTP session
time-out interval that is set in the web.xml file for web applications. The default HTTP
session time-out interval is 30 minutes. When it is met, the web application ends the
HTTP session. However, the default value for the global single sign-on time-out interval
is 12 hours. If the user accesses a timed-out web application within that interval, or any
other SAS web application, a new HTTP session is created.
TIP This behavior can be changed so that reaching an HTTP session time-out
causes the global single sign-on session to time-out as well. Set the Log user off on
timeout policy is set to Yes. For more information, see Configuring Middle Tier
Security Policies.
One area where the HTTP session time-out and global single sign-on time-out are
similar is that they both are reset when a user accesses an application.
Considerations for Changing the Time-out
Interval
The interval should be short enough to alleviate security concerns that the single signon session remains available for too long.
The interval must be long enough that users do not reach the time-out interval while
they are using the application. If a user reaches the global single sign-on time-out
interval, the user must provide credentials and reauthenticate.
130 Chapter 9 / Administering SAS Logon Manager
Specifying a Different Time-out Interval
If you choose to use a different value than the default, 12 hours, then specify the
number of milliseconds in the -Dsas.tgt.expiration.period=inverval-inmilliseconds JVM option.
You need to specify this option for the instances of SAS Web Application Server that
are used for running SAS Logon Manager only.
Windows Specifics: Add the JVM option to the SASServer1_1\conf
\wrapper.conf file.
UNIX Specifics: Add the JVM option to the SASServer1_1/bin/setenv.sh file.
Configuring Middle Tier Security
Policies
The policies identified in the following table are configured with SAS Management
Console. For more information, see “Setting Global Properties for SAS Applications” on
page 69.
Table 9.2
Middle Tier Security Policies
Policy Name
Default
Value
Description
Check for metadata updates
Check on
navigation
This is a deprecated property. Do not change
the value unless you are directed to by SAS
technical support.
Profile refresh interval
600000
This is a deprecated property. Do not change
the value unless you are directed to by SAS
technical support.
Configuring Middle Tier Security Policies
131
Policy Name
Default
Value
Allow client password storage
Yes
Indicates whether the site permits remote
SAS clients to store user password
credentials locally on the client. Many sites
prohibit end-user clients from caching or
persisting passwords for use in distributed
applications.
Log user off on timeout
No
Determines how a time-out in one SAS web
application affects a user’s global single signon session. When this value is set to No, a
user can reach a time-out limit in one web
application but still have a valid global single
sign-on session and be able to use other web
applications. When this value is set to Yes,
whenever any web application reaches a
time-out limit, the global single sign-on
session is ended and the user must
reauthenticate to use a web application.
Description
Setting this value to Yes reproduces the
behavior provided in SAS 9.3 and earlier
releases.
Allow user log on from web
logoff page
Yes
Determines whether to display a Log On
button on the logoff successful page. Some
sites, especially those that deploy walk-up
kiosks, might want to ensure that their
application users close the browser for added
security.
Allow user logon from web
timeout page
Yes
Determines whether to display a Log On
button on the session timed out page. Some
sites, especially those that deploy walk-up
kiosks, might want to ensure that their
application users close the browser for added
security.
Display custom logon message
No
Determines whether to display a custom
message or custom page on the standard
logon page.
132 Chapter 9 / Administering SAS Logon Manager
Policy Name
Default
Value
Display custom logoff message
No
Determines whether to display a custom
message or custom page on the standard
logoff successful page.
Display custom timeout
message
No
Determines whether to display a custom
message or custom page on the standard
session timed out page.
Display logoff security
message
Yes
Determines whether to display a security
message on the logoff successful page.
Some sites, especially those that deploy
walk-up kiosks, might want to ensure that
their application users close the browser for
added security.
Display timeout security
message
Yes
Determines whether to display a security
message on the session timed out page.
Some sites, especially those that deploy
walk-up kiosks, might want to ensure that
their application users close the browser for
added security. For more information about
time out values, see “Configuring the HTTP
Session Time-out Interval” on page 124.
Display failed logon hints
No
Determines whether to display detailed
messages on the failed logon page (for
example, to indicate that the password was
invalid). If this policy is set to No, the systemgenerated exceptions and errors are still
displayed, such as if the system is quiesced
or if the SAS Metadata Server is paused. If
the value is No, the only message that is
displayed for any user input failure is the
invalid credentials message.
Enable autocomplete feature
on logon page
No
Determines whether to use the autocomplete
feature that is provided by the web browser
on the logon page.
Description
Disabling Concurrent Logon Sessions
Policy Name
Allow clients to keep service
sessions alive
Default
Value
Yes
133
Description
Determines whether desktop client
applications keep middle tier resources alive.
If set to No, then middle tier resources time
out in a similar manner to web applications. If
set to Yes, then desktop client applications
ping the server to keep the resources
available.
Disabling Concurrent Logon Sessions
The default behavior for the SAS Logon Manager and the other SAS web applications is
to permit multiple logon sessions. However, it is possible to configure an advanced
middle-tier security policy to prevent multiple logon sessions. When this policy is active,
users can log on to one SAS web application at a time. When users use the Log Off
link that is provided in the application banner, the logon session is destroyed, and users
can log on to a SAS web application again.
You must specify the concurrent logon session behavior:
deny
When you specify deny, the user receives a message from SAS Logon Manager that
a session is already active. The user cannot log on until the existing session expires
or an administrator uses the SAS Web Administration Console to Force Log Off the
user.
logoff
When you specify logoff, the existing session is logged off and the user is logged
on to the requested web application.
To disable concurrent logon sessions, follow these steps:
1 Log on to SAS Management Console.
134 Chapter 9 / Administering SAS Logon Manager
2 On the Plug-ins tab, select Application Management  Configuration Manager,
right-click SAS Application Infrastructure, and select Properties.
3 In the SAS Application Infrastructure Properties dialog box, click the Advanced tab.
4 Click Add to define a new property.
5 Enter Policy.ConcurrentUserLogins in the Property Name. Enter either deny or
logoff in the Property Value field.
6 Click OK.
Settings are not applied and made active automatically. You must restart the SAS Web
Infrastructure Platform Services or the web application server.
135
10
Administering the SAS Content Server
About the SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
SAS Content Server Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Moving Content or Backing Up the SAS Content Server . . . . . . . 137
Deploying Content Manually to the SAS Content Server . . . . . . . 138
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Security Considerations for SAS Content Server Scripts . . . . . . . . 139
Load Content Manually to the SAS Content Server . . . . . . . . . . . . . . 140
Update Content Manually for the SAS Content Server . . . . . . . . . . 141
Adjust Directive URLs Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Log Files Generated by the Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Using the SAS Content Server Administration Console . . . . . . . . 144
About the SAS Content Server Administration Console . . . . . . . . . 144
Access the SAS Content Server Administration Console . . . . . . . 144
A Brief Tour of the Console Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Modify Permissions for WebDAV Folders and Files . . . . . . . . . . . . . 147
Create a New Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Add Files to the SAS Content Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Delete Folders or Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Implementing Authorization for the SAS Content Server . . . . . . . 151
Overview of SAS Content Server Authorization . . . . . . . . . . . . . . . . . . 151
Example Scenario: SAS Content Server Authorization . . . . . . . . . . 152
Manual Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
136 Chapter 10 / Administering the SAS Content Server
When Do I Need to Perform These Tasks? . . . . . . . . . . . . . . . . . . . . . . . 155
Reconfiguring the WebDAV Repository URL . . . . . . . . . . . . . . . . . . . . . 155
Reconfiguring the Server Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
About the SAS Content Server
The SAS Content Server is a content repository that stores digital content (such as
documents, reports, and images) created and used by SAS client applications.
Examples of such content include reports and documents created by users of SAS Web
Report Studio and the SAS Information Delivery Portal.
The Web Distributed Authoring and Versioning (WebDAV) protocol is currently the main
method used to access the SAS Content Server. In addition to the basic features of
HTTP, the WebDAV protocol is an extension to HTTP and provides Write access,
version control, search, and other features.
The SAS Content Server is a web application and starts when the web application
server is started.
Three JVM options are related to the SAS Content Server deployment. In the event that
the deployment of SAS Content Server changes, the JVM options can be used to set
the new values.
Table 10.1
SAS Content Server JVM Options
JVM Option
Description
-Dsas.scs.scheme
Specify http or https.
-Dsas.scs.host
Specify the host name of the web application server.
-Dsas.scs.port
Specify the port number of the web application server
instance.
-Dsas.scs.repository.dir
Specify the path to the repository. The specified
directory is used for indexes and metadata. The digital
content is stored in a relational database.
Moving Content or Backing Up the SAS Content Server
137
SAS Content Server Storage
The SAS Content Server uses a database for storage. SAS Content Server uses the
same database that is used by the SAS Web Infrastructure Platform. The default
configuration for the SAS Web Infrastructure Platform is to use the SharedServices
database instance on the SAS Web Infrastructure Platform Data Server. However, the
SAS Web Infrastructure Platform can be configured to use a third-party vendor
database such as Oracle, MySQL, PostgreSQL, DB/2, SQL Server, or Teradata.
When a third-party vendor database is used, make sure that the database is configured
to accept large binary objects such as documents and images. For example, on
MySQL, the max_allowed_packet variable must be set at least as large as the largest
binary object in the SAS Content Server repository.
Moving Content or Backing Up the SAS
Content Server
The SAS Content Server should be backed up whenever the metadata server is backed
up. For instructions about how to back up the SAS Content Server, see “Best Practices
for Backing Up Your SAS System” in the SAS Intelligence Platform: System
Administration Guide.
Use the WebDAVDump and WebDAVRestore utilities to:
n
Back up specific locations such as a subset of the WebDAV content.
n
Create a backup for input to a system other than the SAS Content Server.
n
Move content from one SAS Content Server to another one.
n
Share content that is available in the SAS Content Server.
For instructions about using the WebDAVDump and the WebDAVRestore utilities, see
SAS Note 38667.
138 Chapter 10 / Administering the SAS Content Server
Deploying Content Manually to the SAS
Content Server
Overview
SAS web applications such as the SAS Information Delivery Portal and SAS Web
Report Studio require the availability of content for its users. The SAS Content Server
provides a WebDAV content repository that stores digital content (such as documents,
reports, and images) that is created and used by SAS client applications.
To enable the availability of the content in the SAS Content Server, you can load
content, update existing content, and adjust web applications that store SBIP URLs.
These tasks can be automated or they can be performed manually.
The following table shows the choices available in the SAS Deployment Wizard, and the
results or manual tasks that follow these choices.
Table 10.2
Selecting Automatic Options or Manual Performance of Tasks
Options Selected in SAS Deployment Wizard
SAS Web Server: Automated or Manual
Configuration Option
Web Applications: Automatic Deployment
Deploy web applications automatically is
selected
SAS Web Server: Automated or Manual
Configuration Option
Web Applications: Automatic Deployment
Deploy web applications automatically is not
selected
Results and Instructions for Manual
Tasks
SAS Web Server and SAS Web
Application Server are configured
automatically. SAS web applications are
deployed automatically, and content is
loaded to the SAS Content Server. If
applicable, web applications that store
SBIP URLs are adjusted automatically.
SAS Web Server and SAS Web
Application Servers are configured
automatically. Instructions are provided
on how to manually deploy SAS web
applications, load content to the SAS
Content Server, and adjust any web
applications that store SBIP URLs.
Deploying Content Manually to the SAS Content Server
Options Selected in SAS Deployment Wizard
Manually configure SAS Web Server, SAS Web
Application Server, deploy the web applications,
load the content to the SAS Content Server, and
adjust any web applications that store SBIP URLs.
139
Results and Instructions for Manual
Tasks
Instructions are provided on how to
perform all tasks manually.
The following table shows when you can load or update content (and adjust URLs)
either automatically or manually.
Table 10.3
Criteria for Deploying Content to the SAS Content Server
Configuration of
Web Application
Server
Deployment
of Web
Applications
Load Content
Update Content
Adjust URLs
Automatic
Automatic
Automatic
Automatic
Automatic
Automatic
Manual
Manual
Manual
Manual
Manual
Manual
Manual
Manual
Manual
The following table shows the files associated with loading content to the SAS Content
Server or updating content. The filename for the batch or script file includes the order
number.
Security Considerations for SAS Content
Server Scripts
The scripts that are described in this section for loading content, updating content, and
adjusting URLs use the SAS Administrator and SAS Trusted User credentials. For
deployments that performed a manual deployment of the SAS web applications, these
scripts include the user IDs and an encoded form of the password. For deployments
that performed an automatic deployment of the SAS web applications, the scripts
include the user IDs, but do not include the passwords in any form.
Passwords in these files, whether added by the SAS Deployment Wizard, or by a SAS
administrator, are not updated with the Update passwords feature of the SAS
140 Chapter 10 / Administering the SAS Content Server
Deployment Manager. Running the scripts with an expired password, or no password,
provides a log result like the following example:
Output 10.1
Log File Example for Invalid Credentials
config.init:
[echo] ant.version=Apache Ant version 1.7.0 compiled on December 13 2006
[echo] ant.file=/opt/SASHome/SASWebInfrastructurePlatform/9.4/Config/webinfpltfm_config.xml
[echo] file.encoding=ISO646-US
[echo] about to read property file because config.init.set=${config.init.set}
[GetObjectProperties] Error connecting to the metadata server: Access denied.
[GetObjectProperties]
Host: hostname.example.com
[GetObjectProperties]
Port: 8561
[GetObjectProperties]
User: sasadm@saspw
[GetObjectProperties]
m_mdFactory: com.sas.metadata.remote.MdFactoryImpl@74db2c
[GetObjectProperties] Error finding foundation repository: Encountered metadata exception.
BUILD FAILED
/opt/SASHome/SASDeploymentManager/9.4/products/
cfgwizard__nnnnn__prt__xx__sp0__1/Utilities/configuration_targets.xml:95: null
If you need to update or add a password, use the PWENCODE procedure. The
following code example shows how to generate the encoded form of the password
changeit. Copy and paste the result into the scripts.
Example Code 10.1 PWENCODE Procedure Example
proc pwencode in="changeit" method=sas002; run;
The SAS log shows the value to copy and paste into the script:
{SAS002}4DE4CF4F130AC6BE4A6934E0596C8222
After you run the scripts, remove the encoded form of the passwords from the scripts as
an additional security measure.
Load Content Manually to the SAS Content
Server
If you deploy SAS web applications manually, you need to load content manually to the
SAS Content Server. For information about how to load content manually for SAS web
applications, see your Instructions.html file.
Use the following batch file or shell script to load content manually:
n
On Windows:
Deploying Content Manually to the SAS Content Server
141
SAS-config-dir\Lev1\Web\Utilities\manualLoadContentOrderNumber.bat
n
On UNIX and z/OS:
SAS-config-dir/Lev1/Web/Utilities/manualLoadContent.shOrderNumber.sh
If web applications were deployed manually, this script contains the credentials for the
SAS Administrator, as well as the SAS Trusted User. The password is always encrypted
in the file. After loading content successfully, remove credentials for the SAS
Administrator and the SAS Trusted User.
If web applications were deployed automatically, the script does not contain the required
credentials. You must manually enter the required credentials in this script file.
Update Content Manually for the SAS
Content Server
If you deploy updated SAS web applications manually, you must manually update the
DAV content in the SAS Content Server. For more information, see your
UpdateInstructions.html file, which is located in the SAS-config-dir /Lev1/
Documents directory.
You must update content manually before portal content is promoted to SAS
Information Delivery Portal 4.4. In this case, data explorations must be converted to
reports, and directive URLs should be adjusted manually. For more information, see
“Promote the Entire Portal Application Tree” in Chapter 13 of SAS Intelligence Platform:
Web Application Administration Guide.
Use the following batch file or shell script to update the DAV content manually:
n
On Windows:
SAS-config-dir\Lev1\Web\Utilities\manualUpdateContentOrderNumber.bat
n
On UNIX and z/OS:
SAS-config-dir/Lev1/Web/Utilities/manualUpdateContentOrderNumber.sh
142 Chapter 10 / Administering the SAS Content Server
If web applications were deployed manually, this script contains the credentials for the
SAS Administrator, as well as the SAS Trusted User. The password is always encrypted
in the file. After loading content successfully, remove credentials for the SAS
Administrator and the SAS Trusted User.
If web applications were deployed automatically, the script does not contain the required
credentials. You must manually enter the required credentials in this script file.
Adjust Directive URLs Manually
Directive URLs are updated either during the migration of a product from one version to
another version, or when a product's content is modified and updates are required.
When the script is run to adjust URLs, it updates references to metadata that has
moved either during migration or an upgrade. These references are stored as SBIP
URLs.
You must update content manually before portal content is promoted to SAS
Information Delivery Portal 4.4. In this case, data explorations must be converted to
reports and directive URLs should be adjusted manually. For more information, see
“Promote the Entire Portal Application Tree” in Chapter 13 of SAS Intelligence Platform:
Web Application Administration Guide.
Here are some examples of instances that require adjusting URLs manually:
n
When a migration is performed, some reports might be moved to a user’s home
folder. If there were references to the data in those reports (in the form of SBIP
URLs), then those references are updated by the script.
n
During a migration or an upgrade, data explorations are converted to reports. If there
were references to the data explorations (in the form of SBIP URLs), then those
references are updated by the script.
After updating content manually for the SAS Content Server, adjust directive URLs
manually by running the appropriate script or batch file:
n
On Windows:
SAS-config-dir\Lev1\Web\Utilities\manualAdjustURLsOrderNumber.bat
Deploying Content Manually to the SAS Content Server
n
143
On UNIX and z/OS:
SAS-config-dir/Lev1/Web/Utilities/manualAdjustURLsOrderNumber.sh
The instructions for running the script or batch file are provided in the
Instructions.html migration or the UpdateInstructions.html file during an
upgrade. The script contains the credentials for the SAS Administrator, as well as the
SAS Trusted User. The password is always encrypted. When you have successfully
loaded the content, remove the credentials for the SAS Administrator and the SAS
Trusted User.
Log Files Generated by the Scripts
When any of the scripts in the previous sections are run, log files are produced for each
SAS web application that is affected. Log messages are written to a file called
product-name_script-name_date-and-time.log For UNIX and z/OS machines,
the log filename always includes the date and timestamp. For Windows machines, the
log filename includes the date and timestamp for machines that use an English locale
only.
These log files are located in the following directories:
On Windows:
SAS-config-dir\Lev1\Logs\Configure
On UNIX and z/OS:
SAS-config-dir/Lev1/Logs/Configure
144 Chapter 10 / Administering the SAS Content Server
Using the SAS Content Server
Administration Console
About the SAS Content Server Administration
Console
The SAS Content Server Administration Console enables you to manage files and
WebDAV folders in the SAS Content Server. Using the console, you can perform the
following management tasks:
n
view folders
n
control access to WebDAV folders and files by setting permissions
n
create folders
n
delete folders
Access the SAS Content Server
Administration Console
To access the console, enter the following URL in your web browser and substitute the
server name and port number of your SAS Content Server:
http://server:port/SASContentServer/dircontents.jsp
Note: This console is also part of the SAS Web Administration Console. You can
administer the SAS Content Server by using either interface. For more information
about accessing the SAS Web Administration Console, see “Using the SAS Web
Administration Console ” on page 86.
Log on to the console with an unrestricted user ID (for example, sasadm@saspw). In
order to use the console, you must be logged on as an unrestricted user. This provides
full administrator rights to use the console.
Using the SAS Content Server Administration Console
145
As a security precaution, make sure that you log off when you are finished using the
console. If you go to another URL or close the tabbed page in your browser without
logging off, your console logon remains in effect. This means that the console can be
accessed again without re-entering a user name and password.
A Brief Tour of the Console Interface
The following display shows an example SAS Content Server Administration Console
as it appears in a browser window:
Display 10.1
SAS Content Server Administration Console
Objects in the console are either folders or files. By default, the initial view of the
console displays the following folders:
sascontent
contains content that has been added to SAS Content Server by SAS applications.
You see a folder only if the folder contains content.
sasdav
contains content that has been added to the SAS Content Server. By default,
sasdav contains the following folders:
n
sasdav/Users contains personal repository folders for users. A user's folder is
created automatically when the user logs on to a SAS web application. Users
have full rights to their own folders.
n
sasdav/Templates contains templates that are used for e-mail notification in
SAS solutions.
146 Chapter 10 / Administering the SAS Content Server
sasfolders
contains content that has been defined in the SAS Folders tree in the SAS Metadata
Server. You see a folder only if the folder contains content.
CAUTION! Administrators should not manage folders and content here. The
content within this folder and subfolders is mapped to SAS Folders in the SAS
Metadata Server. It is recommended that you use the SAS Management Console to
add and manage folders.
Depending on the software that is installed at your site, your console might contain
additional folders.
To navigate in the console, follow these steps:
1 Click an item in the list to display information about that item.
2 Use the breadcrumb trail above the list to return to a parent folder. For example, in
the
breadcrumb trail, click sasdav to return to the sasdav folder.
The console displays the following information for each item listed:
Item name
displays the name of the folder or file.
Primary type
is an internal value that designates the type of object in the repository.
Date created
is the date on which the object was created.
Date modified
is the date on which the object was modified.
Delete
when the delete button is clicked, the selected objects are deleted.
Permissions
when the permissions icon
modified for the object.
is clicked, opens a page where permissions can be
Using the SAS Content Server Administration Console
147
Modify Permissions for WebDAV Folders and
Files
The sasfolders directory should be accessed only by trusted or unrestricted users.
These users are recognized as unrestricted administrators for the SAS Content Server,
and do not require the Access Control List (ACL) to grant them access to this directory.
If other types of users attempt to access this location, their permissions are verified
before they are granted any access.
The sasdav directory can be accessed by regular users, and ACLs can be used to
grant access to specific users and groups.
Principals can be granted permissions for folders and files. In the SAS Content Server,
a principal is either a user or a group of users defined in the SAS Metadata Server.
Principals can be given permissions that allow them to perform specific tasks such as
reading an object, writing to an object, deleting an object, and so on.
You set permissions for an object by specifying which principals have which types of
access. To modify permissions for an object, follow these steps:
1 Click the permission icon
next to the item that you want to modify. A permissions
page appears.
2 For each principal listed, modify the permissions by changing each permission to
Yes or No.
Note: You might see a principal named jcr:authenticated. This principal refers to
any user who can log on to a SAS web application. By default, authenticated users
have Read and Inherit Read permissions only.
3 To add more principals to the page, do one of the following:
n
If you know the principal's name, enter it in the field and click Save changes.
n
Click Search for Principals to search for a name. When you find the principal
that you want to add, select the check box next to the principal's name and then
click Return.
148 Chapter 10 / Administering the SAS Content Server
After the principal's name appears on the permission page, you can set permissions
for the principal.
The following display shows a portion of the console with permissions for a folder:
Display 10.2 Folder Permissions in the SAS Content Server
The following permissions are available for you to apply to objects:
Table 10.4
Permissions for Objects
Permissions
Purpose
Read
Allows the principal to read the object. For folders, this
permission allows the principal to see the members of the
folder.
Write
Allows the principal to write an object. For folders, this
permission allows the principal to create new objects in a
folder.
Delete
Allows the principal to delete the object.
Admin
Allows the principal to change the permissions on an object.
Inherit Read
Objects created in this folder inherit this setting for their
Read permission (and Inherit Read permission for
subfolders).
Using the SAS Content Server Administration Console
Permissions
Purpose
Inherit Write
Objects created in this folder inherit this setting for their
Write permission (and Inherit Write permission for
subfolders).
Inherit Delete
Objects created in this folder inherit this setting for their
Delete permission (and Inherit Delete permission for
subfolders).
Inherit Admin
Objects created in this folder inherit this setting for their
Admin permission (and Inherit Admin permission for
subfolders).
149
Note: Inherited permissions are assigned when objects are created. Each object has its
own set of permissions. Inherited permissions are static; dynamic inheritance does not
occur.
If you are applying permissions to folders, then the following options are available:
Table 10.5
Results of Applying Permissions to Folders
Permissions for Folders
Results
Subfolders and files
Changed permissions are applied to
subfolders and files that exist below the
current folder.
This folder only
Changed permissions are applied to
subfolders and files that exist in the current
folder.
Overwrite permissions for all
Changed permissions are applied to all
folders and files.
Create a New Folder
To add a folder below the current folder, enter the name of the new folder in the field
and click Add Folder.
150 Chapter 10 / Administering the SAS Content Server
Note: Although you can add a folder to the sasfolders location, the folder that you add
is not added to the SAS Metadata Server. The best practice is to add folders to
metadata using SAS Management Console.
Add Files to the SAS Content Server
You cannot use the SAS Content Server Administration Console to add files to folders.
To add files, you can use one of the following methods:
n
Use Microsoft web folders to add content to the appropriate folder. You must use a
browser on a Windows client machine in order to use this method.
For example, the sasdemo user might open the following location as a web folder:
http://myServer/SASContentServer/repository/default/sasdav/
Users/sasdemo/
Then, copy and paste content into the folder.
n
Use the SAS DAVTree utility to drag and drop folders or files into console folders.
To use this utility, run the following command:
SAS-config-dir\Levn\Web\Utilities\DAVTree.bat
On UNIX and z/OS, the utility command is DAVTree.sh.
For more information about using DAVTree, see “Using the DAVTree Utility to
Manage WebDAV Content ” on page 282.
n
Use the SAS Publishing Framework to publish files to the WebDAV repository.
Portal users can publish portal content to the WebDAV repository by using the
portal's publish and subscribe tools.
n
Programmatically publish content to WebDAV.
Usage of these tools and techniques is beyond the scope of this documentation (with
the exception of the DAVTree utility).
Implementing Authorization for the SAS Content Server
151
Delete Folders or Files
Delete a single or multiple folders when you are sure that the folders and their contents
are not required.
CAUTION! Exercise caution when deleting items from the SAS Content Server.
When deleting folders, the following rules apply:
n
Do not delete the sasdav or sasfolders directories.
n
If you delete an item in the sasfolders tree, then applications that rely on the
content mapping between the SAS Content Server and the SAS Metadata Server
might not be able to access the content. To add and delete SAS metadata objects,
use SAS Management Console.
For information about the best practices to follow for managing SAS folders in SAS
Management Console, see “Working With SAS Folders” in the SAS Intelligence
Platform: System Administration Guide.
n
When you delete a folder, all objects within that folder are also deleted.
To delete a folder or file, select the check box for the folder or file from the Delete
column. Click the Delete button. The item is deleted. You are not prompted to confirm
the deletion. To delete multiple items, select multiple check boxes from the Delete
column.
Implementing Authorization for the SAS
Content Server
Overview of SAS Content Server
Authorization
SAS users and groups are defined in a SAS Metadata Repository. The SAS Web
Administration Console enables you to specify which users or groups are authorized to
152 Chapter 10 / Administering the SAS Content Server
access specific folders in the SAS Content Server repository, and what type of access
permissions they have for the folders.
Use the SAS Web Administration Console to create folders and associate access
controls with the folders.
Note: This topic does not describe authentication for the SAS Content Server. By
default, SAS Content Server users are authenticated by using SAS token
authentication.
Before you can associate access controls with a folder, you must complete these tasks:
1 Use the SAS Web Administration Console to create the folder on the SAS Content
Server.
2 Ensure that the appropriate user and group definitions exist on the SAS Metadata
Server for the SAS Content Server users and groups for whom you want to control
access to the folder.
After you have created the WebDAV folders and have ensured that the appropriate user
and group definitions are created on the SAS Metadata Server, use SAS Web
Administration Console to associate access controls with the folders.
Example Scenario: SAS Content Server
Authorization
Within your portal implementation, you might use the publish and subscribe capabilities
to publish (write) and subscribe to (read) group folders on a WebDAV publication
channel.
The following scenario shows the application's publish and subscribe setup for sales
and executive teams that need different access to read (subscribe to) and write
(publish) information that is stored in three different directories on the SAS Content
Server. On the SAS Metadata Server, these teams are represented by two groups,
Americas Sales and Sales Executives.
This publish and subscribe scenario has a requirement for three different content areas,
or group folders, on the SAS Content Server:
Implementing Authorization for the SAS Content Server
153
n
Catalog Sales: The /sasdav/Catalog Sales directory contains catalog sales
information. The Americas Sales and Sales Executives groups can both read
(subscribe to) and write (publish) information.
n
Field Sales: The /sasdav/Field Sales directory contains direct sales
information. The Americas Sales and Sales Executives groups can both read, but
only the Sales Executives group can write information.
n
Sales Execs: The /sasdav/Sales Execs directory contains executive-level sales
information. Only the Sales Executives group can read and write information.
The following table summarizes this scenario's group-based folders on the SAS Content
Server, and the permissions for each group:
Table 10.6
Summary of WebDAV Folders on the SAS Content Server
Folder
Americas Sales
Sales Executives
/sasdav/Catalog Sales
Read, Write
Read, Write
/sasdav/Field Sales
Read
Read, Write
/sasdav/Sales Execs
(none)
Read, Write
To create this sample configuration, follow these steps:
1 In SAS Management Console, define the users, groups, and login credentials that
need to access the SAS Content Server. When you define login credentials, you
must specify the same authentication domain name that you specified for the SAS
Content server during installation.
For this example, the following users, groups, and logins are defined:
Table 10.7
Example Users, Groups, and Logins
Group Metadata
Identities
User Metadata
Identities
User ID
Authentication
Domain
America Sales
salesusr1
salesusr1
DefaultAuth
154 Chapter 10 / Administering the SAS Content Server
Group Metadata
Identities
User Metadata
Identities
User ID
Authentication
Domain
Sales Executives
execusr1
execusr1
DefaultAuth
SAS Trusted User
sastrust
sastrust
DefaultAuth
For example, the America Sales group contains a user named salesusr1 as a
member, and salesusr1 has an associated login with a user ID of salesusr1 and an
authentication domain of DefaultAuth. The America Sales group might include other
members as well.
2 In the SAS Web Administration Console, create your new directory under the sasdav
directory. For this example, navigate to the sasdav directory, and then create these
three subdirectories: Catalog Sales, Field Sales, and Sales Execs.
3 In the SAS Web Administration Console, configure the access permissions for the
folders that you created. For this example, set the access permissions for each
subdirectory, using the following tables as guides:
Table 10.8
WebDAV Permissions for /sasdav/Catalog Sales
Group
Read
Write
Delete
Inherit
Read
Inherit
Write
Inherit
Delete
Americas
Sales
Yes
Yes
No
Yes
Yes
No
Sales
Executives
Yes
Yes
No
Yes
Yes
No
Table 10.9
WebDAV Permissions for /sasdav/Field Sales
Group
Read
Write
Delete
Inherit
Read
Inherit
Write
Inherit
Delete
Americas
Sales
Yes
No
No
Yes
No
No
Manual Configuration Tasks
Group
Read
Write
Delete
Inherit
Read
Inherit
Write
Inherit
Delete
Sales
Executives
Yes
Yes
No
Yes
Yes
No
Table 10.10
155
WebDAV Permissions for /sasdav/Sales Execs
Group
Read
Write
Delete
Inherit
Read
Inherit
Write
Inherit
Delete
Americas
Sales
No
No
No
No
No
No
Sales
Executives
Yes
Yes
No
Yes
Yes
No
Manual Configuration Tasks
When Do I Need to Perform These Tasks?
Whenever there is a change that affects how applications access SAS Content Server,
the connection information related to the server might need to be updated. Two
common changes that require that you update the information are as follows:
n
changing from HTTP to HTTPS manually. (When HTTPS is configured with the SAS
Deployment Wizard, the wizard sets all the connections automatically.)
n
adding a proxy to the network, such as Apache HTTP Server, IBM Tivoli Access
Manager WebSEAL, or CA SiteMinder.
Reconfiguring the WebDAV Repository URL
In a SAS Enterprise Business Intelligence deployment, the following applications use an
information service to retrieve the repository connection information from metadata:
156 Chapter 10 / Administering the SAS Content Server
n
Remote Services
n
SASBIPortlets4.4 Local Services
n
SASJSR168RemotePortlet4.4 Local Services
n
SASPackageViewer4.4 Local Services
n
SASPortal4.4 Local Services
n
SASStoredProcess9.4 Local Services
n
SASWebReportStudio4.4 Local Services
n
SASVisualAnalyticsTransport6.2 Local Services
Note: Your deployment can include additional applications that need to be
reconfigured.
You need to perform this task after the following changes:
n
You reconfigured SAS Web Server from HTTP to HTTPS manually.
n
You altered the network topology for high availability by adding a load balancer or
reverse proxy.
To reconfigure the WebDAV URL for the applications, perform the following steps in
SAS Management Console:
1 Select Environment Management  Foundation Services Manager.
2 Select the application and then select Core  Information Service.
3 Right‐click Information Service and select Properties.
4 In the Information Service Properties dialog box, click the Service Configuration
tab and then click Configuration.
5 In the Information Service Configuration dialog box, click the Repositories tab.
6 Select WebDAV and then click Edit.
7 Change the connection information. See the following list for common changes:
Manual Configuration Tasks
157
n
If you added a proxy or load balancer to the network to provide high availability,
specify the connection information for the proxy.
n
If you configured SAS Web Server manually for HTTPS, enter the HTTPS port
and select the Secure check box.
8 Click OK to close the Information Service Configuration dialog box.
9 Click OK to close the Information Service Properties dialog box.
Reconfiguring the Server Connection
Use the Server Manager plug-in in SAS Management Console to reconfigure the
connection information for SAS Content Server.
You need to perform this task after the following changes:
n
You reconfigured SAS Web Server from HTTP to HTTPS manually.
n
You altered the network topology by adding a load balancer or existing customersupplied reverse proxy.
To reconfigure the server connection, perform the following steps in SAS Management
Console:
1 Select Environment Management  Server Manager  SAS Content Server
2 In the right‐hand pane, right‐click the connection icon, and select Properties.
3 Click Options, modify the connection parameters, and click OK.
4 Select the Folders tab.
5 Select SAS Folders, right-click and select Properties.
6 Click the Content Mapping tab and select SAS Content Server from the Server
menu. Click OK and confirm the content mapping change.
158 Chapter 10 / Administering the SAS Content Server
For a network topology or protocol change, the SAS Content Server web application
must also be updated with information about the connection point that is accessed with
a web browser. For a topology change, the connection point might be a load balancer or
an existing customer-supplied reverse proxy. For a protocol change, you need to
perform these steps if SAS Web Server is reconfigured manually from HTTP to HTTPS.
To reconfigure the connection information in the SAS Content Server web application,
edit the following files and change all instances of the connection information:
n
SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\sas_webapps
\sas.svcs.scs.war\WEB-INF\web.xml
n
SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\sas_webapps
\sas.svcs.scs.war\WEB-INF\spring-config\webapp-config.xml
As an alternative, you can edit the ORIG files that are part of the installed files in
SASHome. In this case, you need to rebuild and redeploy the web application with the
SAS Deployment Wizard.
159
11
Administering the SAS BI Web
Services
Overview of SAS BI Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Managing Generated Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Configuring SAS BI Web Services for Java . . . . . . . . . . . . . . . . . . . . . . . . 161
Overview of Security for Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Securing SAS BI Web Services for Java . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
SAS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Editing the web.xml File for Third-Party Authentication . . . . . . . . . . 168
Transport-Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Overview of SAS BI Web Services
A web service is an interface that enables communication between distributed
applications. Web services enable cross-platform integration by enabling applications
that are written in various programming languages to communicate by using a standard
web-based protocol, typically the Simple Object Access Protocol (SOAP) or
Representational State Transfer (REST). This functionality makes it possible for
businesses to bridge the gaps between different applications and systems.
The following list identifies key changes that were introduced with SAS 9.3:
160 Chapter 11 / Administering the SAS BI Web Services
n
SAS BI Web Services is supported only in a Java application server deployment.
Previously, in SAS 9.2, there were two implementations of SAS BI Web Services:
one written in Java that requires a servlet container, and another written in C# that
uses the .NET framework.
n
Artifacts are not required to be generated in SAS 9.3. Only the metadata that is
associated with the generated web service is published.
n
All stored processes are presented as web services without the need for any
additional processing. If the metadata for a web service is not required to be
published to the SAS Metadata Server, the additional step to generate the metadata
is no longer required.
See Also
n
SAS BI Web Services: Developer's Guide
n
SAS Stored Processes: Developer's Guide
Managing Generated Web Services
You can select a set of stored processes in SAS Management Console and use the
Web Service Maker to deploy them as web services. The Web Service Maker generates
a new web service that contains one operation for each stored process that you
selected. For information about developing web services, see the SAS BI Web
Services: Developer's Guide. For information about using the Deploy as Web Service
wizard in SAS Management Console, see the product Help.
When you generate a web service, the Web Service Maker publishes metadata about
the new web service to the SAS Metadata Server. The metadata includes information
such as the URL of the web service, keywords, and the stored processes are used by
the web service. You can view and update some of this information by using SAS
Management Console and the Configuration Manager plug-in in. To import or export a
generated web service, use the SAS Management Console folder view.
Configuring SAS BI Web Services for Java
161
To delete a web service that was generated by the Web Service Maker, use SAS
Management Console. Navigate to Application Management  Configuration
Manager  SAS Application Infrastructure  BI Web Services for Java 9.4 
WebServiceMaker. Expand the node, right-click the web service, and select Delete.
Deleting a web service removes the metadata that is associated with the service. This
action cannot be reversed.
Note: You must grant permissions on the /System/Services folder to users who
want to create SAS BI Web Services. You can also delete a web service directly from
the /System/Services folder. Users need ReadMetadata and WriteMemberMetadata
to create and delete web services. By default, a group named BI Web Services Users
has these permissions. You can add users to this group to enable them to create and
delete web services, or use your own groups and permission settings.
Configuring SAS BI Web Services for
Java
SAS BI Web Services for Java is initially configured during installation using the SAS
Deployment Wizard. To modify this initial configuration, use the Configuration Manager
plug-in for SAS Management Console.
To modify common configuration properties that apply to XMLA, WebServiceMaker, and
generated web services, go to SAS Management Console. Navigate to Application
Management  Configuration Manager  SAS Application Infrastructure  BI
Web Services for Java 9.4. Right-click to select Properties and click the Settings tab.
In the Application  General Configuration section, you can modify the following
configuration properties:
Acceptable SYSCC List
When a web service operation is invoked, it in turn calls the appropriate SAS Stored
Process running on the server tier. SAS execution always returns the SYSCC macro
variable upon completion. By default, if this completion code is not 0, a SOAP fault is
generated and returned to the invoking client. Alternatively, a comma-separated list
of acceptable SAS completion codes can be specified to alter this behavior. Also, a
162 Chapter 11 / Administering the SAS BI Web Services
hyphen separating two values can be used to specify a range of acceptable
completion codes. In this case, the acceptable list of completion codes are treated
as warnings rather than errors and do not cause a SOAP fault.
Note that SYSCC can be set directly by SAS code developers. Likewise, some SAS
procedures set this value. See the appropriate SAS documentation to determine
possible values that might be returned and whether these values are errors or
warnings. For example, if a SAS procedure states that a SYSCC value less than 4 is
a warning and you are willing to accept those values, set this property as follows:
0-4. Therefore, if the SAS stored process returns a value of 4 or less, it is considered
successful as far as the web service is concerned and the client receives an
appropriate response rather than a fault.
Enable dynamic prompts validation
When invoking web service operations for stored processes that have been
configured with dynamic prompt data parameters, you can turn off validation to
obtain better throughput if you are certain that these stored processes have been
written in a robust manner to handle any possible data passed by clients. Dynamic
prompt validation is enabled by default so that the middle-tier web service validates
the client data against data providers to ensure that incoming data meets the
specified criteria before calling the appropriate stored process on the server.
SAS Stored Process timeout
Set this property if you want to limit the amount of time that a stored process is
allowed to run. If the stored process fails to execute in the specified time, it is
canceled and a SOAP fault is returned to the invoking client. A value of zero
indicates no time-out period.
Enable allowing anonymous execution
Specify whether you want to enable or disable anonymous execution.
To modify configuration properties that are specific to the Web Service Maker, navigate
to the WebServiceMaker folder. Then, navigate to the Settings tab within the
Properties dialog box.
Base namespace
This property is the base namespace that is concatenated with the service name to
create a target namespace to uniquely identify generated web services. For
Configuring SAS BI Web Services for Java
163
example, if the base namespace is set to http://tempuri.org, and a client creates
a new service named test without specifying an overriding namespace for this new
service, then the target namespace for the web service becomes http://
tempuri.org/test.
Attachment conformance
Specifies the attachment conformance that should be enabled for generated web
services. There are two options: Message Transmission Optimization Mechanism
(MTOM) and SOAP Messages with Attachments (SwA). The default is MTOM.
Validate Request With Schema
Setting this property to True causes the incoming request to be validated against the
service’s schema. The default is false because this operation can be CPU intensive.
Validate Response With Schema
Setting this property to True causes the resulting output created by the service
execution to be validated against the service’s schema. The default is false because
this operation can be CPU intensive.
Attachment Optimized Threshold
The default value is 2048 bytes. This attachment threshold is the number of bytes
contained in the attachment that causes the data to be included as an out-of-band
XOP/Include MTOM attachment. An attachment containing fewer bytes is
transferred inline as base64 encoding for optimization.
To modify configuration properties that are specific to a web service, navigate to the
folder for that service. Then navigate to the Advanced tab within the Properties dialog
box. Specify the name of each configuration property and its value in the Define New
Property dialog box.
The following advanced configuration properties are available:
AcceptSysccList
See “Acceptable SYSCC List” on page 161. This property overrides its analogous
common configuration property.
DynamicPromptsSupport
See “Enable dynamic prompts validation” on page 162. This property overrides its
analogous common configuration property.
164 Chapter 11 / Administering the SAS BI Web Services
MaxSTPExecTime
See “SAS Stored Process timeout” on page 162. This property overrides its
analogous common configuration property.
AnonymousExecution
Enabled by default. This property requires the SAS Anonymous Web user or
Webanon account to have been created previously.
BaseNameSpace
This property is the base namespace that is concatenated with the service name to
create a target namespace to uniquely identify web services. For example, if the
base namespace is set to http://tempuri.org, and a client creates a new service
named test without specifying an overriding namespace for this new service, then
the target namespace for this web service becomes http://tempuri.org/test.
AttachmentConformance
This property specifies the attachment conformance that should be enabled for
generated web services. There are two options: Message Transmission Optimization
Mechanism (MTOM) and SOAP Messages with Attachments (SwA). The default is
MTOM.
ValidateRequestWithSchema
Setting this property to true causes the incoming request to be validated against the
service’s schema. The default is false, because this operation can be CPU intensive.
ValidateResponseWithSchema
Setting this property to true causes the resulting output that is created by the service
execution to be validated against the service’s schema. The default is false because
this operation can be CPU intensive.
AttachmentOptimizedThreshold
The default is 2048 bytes. This attachment threshold is the number of bytes
contained in the attachment that causes the data to be included as an out-of-band
XOP/Include MTOM attachment. An attachment containing fewer bytes is used as
base 64 encoding for optimization.
Changes to properties do not take effect immediately. To apply these changes, perform
one of the following tasks:
Configuring SAS BI Web Services for Java
165
n
Either stop and restart SAS Web Application Server, or stop and restart the SAS BI
Web Services for Java Web application (sas.wip.services9.4.ear).
n
Use a Java Management Extensions (JMX) console to communicate with the
com.sas.svcs:service=biws,type=ConfigMBean management bean.
The following image shows the use of the JMX console bundled with the JDK to reload
the configuration metadata into a running SAS BI Web Services for Java application:
166 Chapter 11 / Administering the SAS BI Web Services
Overview of Security for Web Services
A default installation of SAS BI Web Services for Java is not highly secure. The default
security mechanism for SAS web applications is SAS authentication. All requests and
responses are sent as clear text. If users want to authenticate as a specific user, then
they can send a user name and password as clear text as part of the WS-Security
headers. If you use a RESTful request, send the user name and password in a base64
encoded Authorization HTTP header. Authentication is performed by authenticating
client credentials at the SAS Metadata Server. Whenever user names and passwords
must be sent as clear text or base64 encoded, SSL should be enabled to provide
transport layer security.
If you want to use HTTPS to secure the transmission of credentials with the web
services, and you also want to use the Deploy as Web Service wizard in SAS
Management Console, then you need to import the server certificate to SAS
Management Console. To import the server certificate to SAS Management Console,
follow these steps:
1 Create a Java keystore on the local machine and import the server certificate of the
server that you want to communicate with. For more information about how to
perform this step, see http://docs.oracle.com/javase/1.5.0/docs/tooldocs/windows/
keytool.html.
2 Pass the keystore location and password into SAS Management Console using JVM
options. The options that need to be set are:
javax.net.ssl.trustStore=
"fully qualified path to keystore created with keytool from step 1"
javax.net.ssl.trustStorePassword=
"trust store password"
To complete this step, add the following JavaArgs arguments to the sasmc.ini file,
which is found at C:\Program Files\SASHome\SASManagementConsole\9.4:
JavaArgs_14=-Djavax.net.ssl.trustStore =
"fully qualified path to keystore created with keytool from step 1"
JavaArgs_15=-Djavax.net.ssl.trustStorePassword =
Securing SAS BI Web Services for Java
167
"trust store password"
If you are using XMLA web services or generated web services, an anonymous user
can be configured. The anonymous web user is configured during SAS Deployment
Wizard configuration. Anonymous users cannot use the Web Service Maker; credentials
must always be provided to use the Web Service Maker. If you are using XMLA web
services, you can pass user credentials as XMLA properties in the payload.
SAS BI Web Services can also be secured by configuring web authentication. This
provides a way for SAS BI Web Services to identify the calling user with basic web
authentication that uses HTTP transport-layer security.
Note: Web authentication can be used with both XMLA web services and generated
web services. Web authentication cannot be used with the WebServiceMaker web
service when SAS clients are used because these clients authenticate by using onetime passwords.
Securing SAS BI Web Services for Java
SAS Authentication
When SAS authentication is used, SAS Web Application Server does not perform any
authentication on behalf of the application. Instead, SAS BI Web Services for Java
authenticates client credentials against the SAS Metadata Server. Client credentials are
obtained by one of the following ways (in this order):
1 Use credentials that are passed in the UsernameToken WS-Security SOAP header.
For RESTful invocation, use the credentials passed in the Authorization HTTP
header.
2 Use credentials that are passed in the payload as properties (XMLA only).
3 Use anonymous credentials that are configured with the Webanon SAS metadata
login account (XMLA and generated web services).
168 Chapter 11 / Administering the SAS BI Web Services
Typically, the WebServiceMaker service is invoked via the Deploy As Web Service
wizard in SAS Management Console. Therefore, this service must be able to process
SAS one-time passwords. For this reason the WebServiceMaker service functions only
in SAS authentication mode.
Web Authentication
As an alternative to SAS authentication, SAS Web Application Server can be configured
to perform the authentication on behalf of the SAS BI Web Services for Java
application. This is known as web authentication. Beginning with SAS 9.3, web
authentication can also be used with RESTful web services.
Editing the web.xml File for Third-Party
Authentication
If you configure third-party authentication with products such as CA SiteMinder, and use
the JavaScript Objects Notation (JSON) and REST web services, edit the deployment
descriptor file. This file is located in the SASHOME \SASWebInfrastructurePlatform
\9.4\Configurable\wars\sas.biws\WEB-INF directory. Change the configuration
section in the web.xml.orig file as follows:
<!-- comment out or remove this filter
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
-->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<!-- specify different URL patterns
<url-pattern>/*</url-pattern>
-->
<url-pattern>/j_spring_cas_security_proxyreceptor</url-pattern>
<url-pattern>/j_sprint_cas_security_check</url-pattern>
</filter-mapping>
Securing SAS BI Web Services for Java
Rebuild and redeploy the SAS Web Infrastructure Platform web application with the
SAS Deployment Manager.
Transport-Layer Security
HTTP transport-layer security can be used instead of message-level security. The
following security constraints should be applied to the web.xml.orig deployment
descriptor. (See the previous section for the location.) Change the file by adding the
security constraints as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>All-resources</web-resource-name>
<url-pattern>/services/XMLA/*</url-pattern>
<url-pattern>/services/dynamicServicePath/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>ROLE_USER</role-name>
</security-role>
169
170 Chapter 11 / Administering the SAS BI Web Services
171
12
Administering SAS Web Application
Themes
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Introduction to SAS Web Application Themes . . . . . . . . . . . . . . . . . . . . 172
Theme Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
The SAS Default Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
How Custom Themes Are Created and Deployed . . . . . . . . . . . . . . . 173
Steps for Defining and Deploying a New Theme . . . . . . . . . . . . . . . . . 175
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Step 1: Design the Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Step 2: Create a Work Area for the Theme . . . . . . . . . . . . . . . . . . . . . . . 177
Step 3: Make Desired Changes to the Styles,
Graphics, and Theme Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Step 4: Rebuild SAS Web Application Themes . . . . . . . . . . . . . . . . . . . 186
Step 5: Deploy SAS Web Application Themes in
Your Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Step 6: Test the New Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Step 7: Move the New Theme from Test to
Production Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Step 8: Assign the Default Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Deleting a Custom Theme from the Metadata . . . . . . . . . . . . . . . . . . . . . 189
Migrating Custom Themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Migrating Cascading Style Sheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
172 Chapter 12 / Administering SAS Web Application Themes
Migrating Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Migrating Theme Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Migrating Theme Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Special Considerations for SAS Logon Manager . . . . . . . . . . . . . . . . . 192
Overview
Introduction to SAS Web Application Themes
SAS Web Application Themes provide a way to define a consistent look and feel across
SAS web applications. You can use themes to apply uniform visual customizations and
company branding to all SAS web applications that support the theme infrastructure. A
typical custom theme might include a banner with a standard corporate color scheme
and company logo, a navigation bar with colors that coordinate with the banner, and
new colors for borders and title bars.
Theme Components
A theme is a collection of resources that control the appearance of a SAS web
application. The following figure shows the components of a theme:
Figure 12.1 Components of a Theme
Here is an explanation of each theme component:
Overview
173
theme templates
are HTML fragments that render specific portions of pages in SAS web applications.
The templates contain dynamic substitution variables of the form
%VARIABLE-NAME that are replaced by application-specific values when the
templates are used in SAS web applications.
cascading style sheets
determine the colors, fonts, backgrounds, alignment, and spacing for page elements
in SAS web applications. A cascading style sheet (CSS) is a standard mechanism
for defining consistent and reusable presentation for web-based content.
theme descriptors
are XML files that describe the style sheets, templates, and images that make up a
theme.
images
include graphics for icons, a company logo, and banner and page backgrounds. You
can incorporate your own customized graphics files as part of a new theme. Images
can be in any format supported in the browser, including GIF, PNG, and JPEG.
Note: The application title that appears in the banner of the SAS web application is not
part of the theme. You also cannot use themes to change the application name that
appears in the title bar of the browser window.
The SAS Default Theme
The initial theme that is installed with the theme infrastructure is named Default. This
theme is typically used as the basis for creating new themes, so you should understand
its structure before you attempt to create a custom theme. Specifications for the Default
theme are provided in SAS-config-dir\Lev1\Web\Utilities
\SASThemeExtensions\specs\Default\index.html.
How Custom Themes Are Created and
Deployed
The SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions directory
contains the scripts and resources needed to create a new theme:
174 Chapter 12 / Administering SAS Web Application Themes
n
The NewTheme script creates a directory structure for your new theme, and populates
it with configuration files that are modified to create a new theme definition. The new
theme is based on the SAS default theme that is shipped with the software.
n
The specs directory provides documentation for the general color palette and color
and image guidelines that are specific to each user interface component. This
document is useful when you are designing and defining your custom theme.
Developing a custom theme involves creating CSS files, image files, theme template
files, and theme descriptor files. It is possible to create a new theme by authoring these
files from scratch, but the task is laborious and requires a thorough understanding of
web page design. The theme infrastructure provides a templating mechanism to simplify
the process.
Instead of editing CSS and theme descriptor files directly, template files
(extension .vtl) are provided that contain key and value pairs that isolate the elements
of the theme that you are likely to want to customize. In addition, context files
(extension .vctxt) enable you to create a centralized set of definitions for key values
that you can use in place of explicit values to simplify the process of maintaining the
template files. When you use the SAS Deployment Manager to rebuild the SAS Web
Application Themes, the context files are merged into the template files to create a
complete set of shared and product-specific style sheets and theme descriptors. The
build process also packages your new theme into a WAR file that is deployed to make
the themes available in your production environment.
Once the theme archive is deployed, users can use the Preferences page in their SAS
web application to apply the new theme (or any other deployed theme). You can also
specify the custom theme as the default for all SAS web applications. This means that
the theme is applied automatically for users who do not make a selection on the
Preferences page.
Note: Previously, SAS Web Report Studio 3.1 used product-specific branding.
Product-specific branding is not available for SAS Web Report Studio 4.4. Use themes
to create branding in SAS Web Report Studio 4.4. A few properties for branding that
existed in SAS WebReport Studio 3.1 are supported in SAS Web Report Studio 4.4. For
information about these properties and usage, see “Customizing Report Styles for SAS
Web Report Studio” in Chapter 6 of SAS Intelligence Platform: Web Application
Administration Guide.
Steps for Defining and Deploying a New Theme
175
Steps for Defining and Deploying a New
Theme
Overview
SAS provides a default theme for your use. You also have the choice of designing and
deploying a custom theme for your environment.
To develop and deploy a new theme, follow these steps:
1 “Step 1: Design the Theme” (See page 176.)
2 “Step 2: Create a Work Area for the Theme” (See page 177.)
3 “Step 3: Make Desired Changes to the Styles, Graphics, and Theme Templates”
(See page 182.)
4 “Step 4: Rebuild SAS Web Application Themes” (See page 186.)
5 “Step 5: Deploy SAS Web Application Themes in Your Test Environment ” (See
page 186.)
6 “Step 6: Test the New Theme” (See page 187.)
7 “Step 7: Move the New Theme from Test to Production Environment” (See page
187.)
8 “Step 8: Assign the Default Theme” (See page 188.)
Note: You might choose to perform steps 3 through 6 iteratively, making limited
changes to the theme during each iteration, so that you can more readily determine the
effects of each set of changes to the theme. To deploy multiple themes in your
environment, follow steps 1 to 6 to design and create your themes. Then follow step 7 to
move each theme from test to production environment.
176 Chapter 12 / Administering SAS Web Application Themes
You can deploy multiple themes in your corporate environment. Before deploying the
new theme in a production environment, you should first test it in a test environment to
ensure that SAS web applications function as expected with the new theme applied.
Step 1: Design the Theme
Overview
The first step in creating a custom theme is to plan the visual elements. Usually, the
new theme is based on an existing design, your organization's intranet standards,
another in-house written application, or a purchased application or solution. Some
organizations have a standard color palette with color specifications.
Review the specifications for the Default theme at SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions\specs\Default\index.html, and identify
the component keys and image keys for the visual elements that you want to change in
the new theme. Establish a set of colors that are compatible with your organization, and
choose the images (for example, logos, banner images) you want to use in the new
theme.
Generally, you can make the largest impact by updating the background colors, border
colors, and text attributes for web application pages and SAS Information Delivery
Portal portlets. In addition, you might want to replace the SAS logo in the banner with
our own organization's logo. If you select a different color palette, consider that you
might need to adjust the colors in images to match the new palette.
The Color Palette page at SAS-config-dir\Lev1\Web\Utilities
\SASThemeExtensions\specs\Default\html\colorPalette.html lists all 55
color keys of the default theme and specifies the default hexadecimal color value for
each color key. It also provides links to documentation on each user interface element
where the color is applied.
Options in Designing the Theme
When you create a new theme, there are three ways to define your theme:
n
Use the Color Palette and replace the 55 default SAS colors with your organization's
palette. The colors are applied automatically across the user interface.
Steps for Defining and Deploying a New Theme
177
n
Specify the color to be used for each interface component. You must specify the
color for each context key of the user interface component. This approach takes
more time, but it provides maximum flexibility and control.
n
Start with the Color Palette, and make individual changes to selected user interface
components. This approach overrides how the color palette is applied in some
cases.
If you choose to set colors for the context key of each user interface component, the
web pages at SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions
\specs\Default\index.html provide tools and resources to assist you with this
process.
Step 2: Create a Work Area for the Theme
To create a work area that contains a copy of the Default theme as a basis for your new
theme, use one of the following scripts provided in the SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions directory:
n
for Windows: NewTheme.bat theme-name true
n
for UNIX and z/OS: NewTheme.sh theme-name true
To use the Color Palette option, the true parameter is required in the command.
Note: The theme name must not contain spaces.
The following figure shows the theme-name directory, which is the root directory for
theme resources. The \theme-name\MetadataTools directory contains SAS
programs for managing the theme. The Velocity directory contains several
subdirectories with files.
178 Chapter 12 / Administering SAS Web Application Themes
Figure 12.2
Subdirectories within SASThemeExtensions Directory
The following figure shows the subdirectory structure that is created under the SASconfig-dir\Lev1\Web\Utilities\SASThemeExtensions\themes\theme-name\themes
\theme-name directory.
Steps for Defining and Deploying a New Theme
Figure 12.3
Subdirectories for Images, Styles, and Templates
Here is an explanation of the folders and their contents:
\theme-name\themes\theme-name\images
contains the standard collection of images for SAS web applications that use the
theme infrastructure. The images are divided into the following subdirectories by
category:
Common
contains images that are commonly used in SAS web applications.
Components
contains images for the collection of components (widgets) that are shared by
SAS web applications.
179
180 Chapter 12 / Administering SAS Web Application Themes
WRS
contains images for SAS Web Report Studio.
\theme-name\themes\theme-name\styles
contains a cascading style sheet file named custom.css that can be used to define
additional style elements for the theme. This file is empty when the work area is
created.
\theme-name\themes\theme-name\templates
contains theme templates, which are HTML fragments that render specific portions
of pages in SAS web applications. The template files are divided into the following
subdirectories by category:
Common
contains theme templates for page elements that are commonly used in SAS
web applications.
Components
contains theme templates for the collection of components that are shared by
SAS web applications.
WRS
contains theme templates for elements in SAS Web Report Studio pages.
The following figure shows the subdirectories below the SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions\themes\theme-name\Velocity directory.
Steps for Defining and Deploying a New Theme
Figure 12.4
Subdirectories within the Velocity Directory
Here is an explanation of the contents of the directories:
\theme-name\Velocity\Stylesheets\_shared\contexts\themes
contains a context file named theme-name.vctxt that defines context values for
font families and standard colors that can be used in CSS templates.
\theme-name\Velocity\Stylesheets\Common\contexts\themes\themename
contains CSS template files that are used to build style sheets for page elements
that are commonly used in SAS web applications, including portal.themename.vtl, sasStyle.theme-name.vtl, and sasScorecard.theme-name.vtl.
181
182 Chapter 12 / Administering SAS Web Application Themes
\theme-name\Velocity\Stylesheets\Components\contexts\themes
\theme-name
contains a CSS template file named components.theme-name.vtl that is used to
build style sheets for the collection of components that are shared by SAS web
applications.
\theme-name\Velocity\Stylesheets\WRS\contexts\themes\theme-name
contains a CSS template file named wrs.theme-name.vtl that is used to build style
sheets for SAS Web Report Studio.
\theme-name\Velocity\ThemeDescriptors\contexts
contains a context file named theme-name.themeDescriptor.vctxt that defines
context values that can be used in theme descriptor templates.
\theme-name\Velocity\ThemeDescriptors\contexts\custom\theme-name
contains theme descriptor template files for building the XML files that define the
available collections of style sheets, theme templates, and images, including
ComponentsThemes.vtl, CustomThemes.vtl, SASThemes.vtl,
SolutionsThemes.vtl, and WRSThemes.vtl. The SemanticThemes.vtl file is added
in the second maintenance release for SAS 9.3.
If you were to build the new theme at this point, it would be a fully functional duplicate of
the Default theme.
Step 3: Make Desired Changes to the Styles,
Graphics, and Theme Templates
Changing Colors
To make style changes to specific page features, you must first identify the component
key associated with that feature and then locate the CSS template file that sets the
value for that key.
For example, suppose your new theme design calls for changing the color for the title
text in the banner at the top of SAS web applications. The Banner specifications at the
Themes web site SAS-config-dir\Lev1\Web\Utilities
\SASThemeExtensions\specs\Default\Components\html\Banner.html
Steps for Defining and Deploying a New Theme
183
show that the context key for the title text is Banner_Title_Text_Color and it displays
its context value.
Each Themes web page displays the context keys and context values.
You can specify a new color explicitly, as follows:
Banner_Title_Text_Color=#e69b00
Because components.theme-name.vtl is a CSS template file, another option is to use
the generic color values that are defined in the theme-name.vctxt file in the
\Velocity\Stylesheets\_shared\contexts\themes subdirectory of the work
area for the new theme. For example, you might specify the following value instead of
an explicit value:
Banner_Title_Text_Color=${Color53}
The corresponding color value is substituted in the resulting CSS when the new theme
is built.
The general form for using a context value in a template file is ${context-value-name}.
Using context values instead of explicit values can make it easier to maintain the theme
because you can change all component keys that use a given value by making one
change to the context file.
Changing Graphics
Image files are located in three subdirectories located in the SAS-config-dir
\Lev1\Web\Utilities\SASThemeExtensions\specs\Default folder. These
184 Chapter 12 / Administering SAS Web Application Themes
subfolders are: Common, Components, and WRS. The properties of each image are
defined in the Theme Descriptors files.
The process for customizing images is similar to that for customizing styles. For
example, suppose your new theme design calls for changing the background image for
the banner at the top of SAS web applications. A review of the Banner specifications at
SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions\specs
\Default\index.html shows that the image key for the banner background is
banner_background. A search for that string in the work area for the new theme shows
the following IMAGE element in the ComponentsThemes.vtl file in the Velocity
\ThemeDescriptors\custom\theme-name subdirectory of the work area:
<Image name="banner_background" ...
file="BannerBackground.gif"/>
You can change the image used for the banner background image in either of the
following ways:
n
by replacing the existing BannerBackground.gif file in the themes\themename\images\Components subdirectory of the work area with a revised image
with the same name. Make sure that the new image has the following criteria:
o
The filename of the new graphic is identical to the filename of the graphic being
replaced.
o
The new graphic is in the same format as the original image (for example, .jpg
or .gif).
o
The dimensions of the new graphic and its pixels are same as the graphic being
replaced.
If you need to change the size, filename, or the image format of the graphic, modify
the theme descriptor. For example, if you replace the logo.gif file with a new file
called myLogo.jpg that has a width of 300 pixels and height of 70 pixels, modify
the ComponentsThemes.vtl file as follows:
<Image name="logo" description="My Logo" altTextKey="desktop.logo.text"
appliesTo="ALL" width="300" height="70" file="myLogo.jpg"/>
n
by changing the FILE= attribute in the IMAGE element in the
ComponentsThemes.vtl context file to point to a different image file.
Steps for Defining and Deploying a New Theme
185
Note: You should not change the value of the NAME= attribute in the IMAGE
element. SAS web applications depend on the NAME= attributes remaining
constant.
Another common image change is to replace the SAS logo in the standard banner with
your organization's logo. You can change the graphic used for the banner logo either by
replacing the existing logo.gif file in the themes\theme-name\images
\Components subdirectory of the work area with a copy of your logo with that filename
or by changing the target of the FILE= attribute for the IMAGE element in the
ComponentsThemes.vtl context file for which the NAME= attribute has the value
logo.
Note: Beginning with the second maintenance release for SAS 9.3, the SAS Logon
Manager application uses graphics from the themes\theme-name\images
\semantic directory. If you want to change the logo on the SAS Logon Manager, or
any other graphic shown on the logon page, review the graphics in the semantic
directory and the IMAGE elements in the SemanticThemes.vtl file.
When customizing images, you should ensure that the replacement graphics have
approximately the same dimensions as the original graphics. Otherwise, the images
might disrupt the appearance of the applications in which they are used.
Changing Theme Templates
You should make changes to theme templates only in situations where you want to
change the layout of a page element (for example, to change the logo's placement in
the banner or to adjust the padding between rows in a menu). If you decide to alter a
theme template, proceed with caution. SAS web applications rely on the template
structure being consistent with the versions that are shipped with the software. Improper
changes to theme templates might prevent SAS web applications from functioning
properly. In particular, do not change the dynamic substitution variables in theme
templates because SAS web applications expect the existing values.
Dynamic substitution variables should not be changed in theme templates because SAS
web applications expect the existing values. However, if you need to change a dynamic
substitution variable, here is an example where %BANNER_TITLE is the dynamic
substitution variable:
<td nowrap id=”bantitle”
186 Chapter 12 / Administering SAS Web Application Themes
class="banner_title">%BANNER_TITLE</td>
Note: When a new release of themes is installed at your site or an upgrade is
performed, the existing theme template files are replaced by the new theme template
files. If you have customized theme template files and want to retain them for future use,
copy them to a different location before the installation or upgrade.
Additional Considerations
Another change that you might want to make when creating your new theme is to
update the theme_displayName= element in the themename.themeDescriptor.vctxt file in the Velocity\ThemeDescriptors
\contexts subdirectory of the work area. Provide a descriptive name for the new
theme. The name is used in the selection list of available themes in the Preferences
page in SAS web applications.
Step 4: Rebuild SAS Web Application Themes
To rebuild SAS Web Application Themes and register your themes in metadata, follow
the steps provided in “Rebuild Web Applications” on page 104.
The rebuilt SAS Web Application Themes archive file ( sas.themes.ear) can be
found in the SAS-config-dir\Lev1\Web\Staging directory. It should contain a
new web archive (WAR) file for the new theme named sas.theme.theme-name.war.
Step 5: Deploy SAS Web Application Themes
in Your Test Environment
To deploy the rebuilt SAS Web Application Themes to your web application server in a
test environment, see “Redeploying the SAS Web Applications” on page 107.
If you chose to configure the web application server manually or deployed the SAS web
applications manually, see your Instructions.html generated by the SAS
Deployment Wizard.
Steps for Defining and Deploying a New Theme
187
Step 6: Test the New Theme
After you have completed the deployment procedures, follow these steps to test the
new theme:
1 Navigate to the portal in the production environment.
2 Log on and select Options  Preferences. The new theme should appear as a
selection on the Preferences page.
3 Select the new theme and observe the effect of the changes that you made in “Step
3: Make Desired Changes to the Styles, Graphics, and Theme Templates” on page
182. To view the new theme, log off from the portal. Then log in to the portal to view
the new theme that was applied.
4 Repeat the procedures outlined in “Steps for Defining and Deploying a New Theme ”
on page 175 until you are satisfied with the display of the new theme.
If you test the new theme several times, log off from the portal and log on again to view
the updated theme each time.
Step 7: Move the New Theme from Test to
Production Environment
To move a theme from a test to a production environment, follow these steps:
n
Copy the entire contents of the SAS-config-dir\Lev1\Web\Utilities
\SASThemeExtensions directory to the same directory path on the production
machine.
n
Run SAS Deployment Manager, and use the Rebuild Web Applications option to
register the theme in the metadata. See “Step 4: Rebuild SAS Web Application
Themes” on page 186.
n
Deploy SAS Web Application Themes to your web application server. See “Step 5:
Deploy SAS Web Application Themes in Your Test Environment ” on page 186.
188 Chapter 12 / Administering SAS Web Application Themes
Step 8: Assign the Default Theme
Overview
If you want your new or custom theme to be the default theme for all users who have
not selected a theme for themselves in their application's Preferences, then you should
set the new theme as the default.
There are two ways to modify the theme metadata:
n
Use SAS Management Console. See “Assign the Default Theme from SAS
Management Console” on page 188.
n
Use the UpdateDefaultTheme.sas program. See “Assign the Default Theme with
the UpdateDefaultTheme.sas Program” on page 189.
Assign the Default Theme from SAS Management Console
To assign a new theme as the default theme by using the SAS Management Console,
follow these steps:
1 Deploy SAS Web Application Themes using the SAS Deployment Manager.
2 In SAS Management Console, on the Plug-ins tab, navigate to Application
Management  Configuration Manager  SAS Application Infrastructure and
right-click to display the SAS Application Infrastructure Properties dialog box.
3 Click the Settings tab.
4 In the Default Theme field, enter the name of your theme.
5 Click OK to exit the SAS Application Infrastructure Properties window.
6 To enable the new theme to go into effect, restart the SAS Web Infrastructure
Platform application in the web application server.
Migrating Custom Themes
189
Assign the Default Theme with the UpdateDefaultTheme.sas
Program
To assign a theme as the default theme, use the UpdateDefaultTheme.sas program
located in the SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions
\themes\theme-name\MetadataTools directory. After the
UpdateDefaultTheme.sas program has been run, the new theme will be in effect for
users who have not selected a different theme on their Preferences page.
If SAS is not installed on the middle-tier machine, copy the UpdateDefaultTheme.sas
program to the metadata server, and submit the SAS program on that machine.
Deleting a Custom Theme from the
Metadata
To delete a custom-developed theme from the deployment for the SAS Information
Delivery Portal, use the DeleteTheme.sas program located in the SAS-config-dir
\Lev1\Web\Utilities\SASThemeExtensions\themes\theme-name
\MetadataTools directory.
If SAS software is not installed on the middle-tier machine, copy the DeleteTheme.sas
program to the metadata server, and submit the program on that system machine.
Migrating Custom Themes
Overview
To apply a custom theme that you developed for an earlier release, follow these steps:
1 Create a new theme structure. For information about creating a work area in which
to construct the new version of your existing theme, see “Step 2: Create a Work
Area for the Theme” on page 177.
2 Migrate the cascading style sheets used in your theme.
190 Chapter 12 / Administering SAS Web Application Themes
3 Migrate the images used in your theme.
4 Migrate the theme templates.
5 Migrate the descriptors used in your theme.
Migrating Cascading Style Sheets
Before attempting to move any CSS files from an existing theme to the \themes
\theme-name\styles subdirectory of the work area for the new theme, you should
first review the specifications for the Default theme at SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions\specs\Default\index.html. For any
feature for which a component key has been defined, you should update the
corresponding component key values in the CSS template (.vtl) files in the
\Velocity\Stylesheets\Common\contexts\themes\theme-name, \Velocity
\Stylesheets\Components\contexts\themes\theme-name, and \Velocity
\Stylesheets\WRS\contexts\themes\theme-name subdirectories of the work
area to achieve a compatible look and feel.
Custom style sheet files are required only if you need to provide theme support to
features that are not covered by the CSS templates. For each style sheet file that you
add, you must ensure that a corresponding STYLESHEET element is added to in the
appropriate theme descriptor template (.vtl) file in the \Velocity
\ThemeDescriptors\contexts\custom\theme-name subdirectory of the work
area for the new theme. The STYLESHEET element must specify the value all for its
PRODUCT= attribute.
Migrating Images
Before attempting to move any image files from an existing theme to the \themes
\theme-name\images subdirectory of the work area for the new theme, see the
image specifications for the Default theme at SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions\specs\Default\index.html. If the image
from the existing theme replaces one of the images in the new theme, then you should
ensure that the image from the existing theme is saved over the default image in the
proper directory under the \themes\theme-name\images subdirectory. If the image
Migrating Custom Themes
191
from the existing theme does not replace an image in new theme, save it in the
\themes\theme-name\images\Common subdirectory.
For each image file that you update or add, you must ensure that a corresponding
IMAGE element is present in the appropriate theme descriptor template (.vtl) file in the
\Velocity\ThemeDescriptors\contexts\custom\theme-name subdirectory of
the work area for the new theme.
Migrating Theme Templates
Before attempting to move any theme template files from an existing theme to the
\themes\theme-name\templates subdirectory of the work area for the new theme,
you should consider carefully whether they are compatible with the SAS web
applications. SAS web applications rely on the theme template structure being
consistent with the versions that are shipped with the software. Theme templates must
have the expected set of dynamic substitution variables in order for the applications to
function properly.
Migrating Theme Descriptors
The theme descriptor template (.vtl) files in the \Velocity\ThemeDescriptors
\contexts\custom\theme-name subdirectory of the work area for the new theme
should represent the structure of the migrated theme resources. Review the files to
ensure the following:
n
If you add cascading style sheet files to provide theme support for features that are
not covered by CSS templates, ensure that you add corresponding new
STYLESHEET elements to the STYLES section.
n
For each image file that you update or add, ensure that you update or add a
corresponding IMAGE element in the IMAGES sections.
n
If you migrate existing theme template files, ensure that you update or add a
corresponding TEMPLATE element in the TEMPLATES sections to reflect the
change.
192 Chapter 12 / Administering SAS Web Application Themes
Special Considerations for SAS Logon
Manager
Overview
Beginning with the second maintenance release for SAS 9.3, the SAS Logon Manager
web application uses two different designs: "logon classic" and "logon corporate." The
classic design is used with SAS web applications that use mostly HTML and JSP. The
corporate design is used with SAS web applications that use mostly Adobe Flash
technology.
The corporate design uses a different directory for images and a template file than the
classic design. When you migrate your custom themes, review whether your custom
images or template changes should also be added to the following images and themes.
Migrating the Logon Logo Image
To migrate a custom logo image for the logon page:
1 Change the context file to point to a new logo image.
a Edit SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions
\theme-name\Velocity\ThemeDescriptors\custom\theme-name
\SemanticThemes.vtl
b Change the following line to specify to a different image path.
<Image name="logo_png" file="semantic/logo.png"
description="SAS: The Power to Know" altTextKey="image.sas.logo.txt" />
If you want to use your existing customer logo.gif, then change the entry to resemble
the following example:
<Image name="logo_png" file="logo.gif"
description="your-description-here" altTextKey="image.sas.logo.txt" />
TIP You can change or remove the description attribute. It is used as a tooltip
for the logo image.
Migrating Custom Themes
193
2 Add styles to your theme's SAS-config-dir\Lev1\Web\Utilities
\SASThemeExtensions\theme-name\themes\theme-name\styles
\custom.css file. Adjust some of the values in the following example, depending
on the dimensions of your logo image and the desired appearance.
}
.figure1 img {
width: your-image-widthpx;
height: your-image-heightpx;
.figure1 {
width: 100%;
min-width: your-image-widthpx;
max-width: your-image-widthpx;
}
.logonabout {
margin-bottom: 0em;
}
.banner .clearfix {
display: none;
}
.logonhd {
height: 5.0em;
}
.logonhd h1 {
padding-top: 1em;
}
Logon Banner Background Image
To migrate your logon banner background image:
1 Create a new image and copy it to a new location.
a Create a new PNG version of your custom image at SAS-config-dir
\Lev1\Web\Utilities\SASThemeExtensions\theme-name\themes
\theme-name\images\Components\BannerBackground.gif and name it
BannerBackground.png. You can use an application like Microsoft Paint to do
this.
194 Chapter 12 / Administering SAS Web Application Themes
b The dimensions of BannerBackground.png are 781x145 pixels. The dimensions
of BannerBackground.gif are 1063x479 pixels. You might need to resize your
new image to match the size of BannerBackground.png. Again, you can use an
application like Microsoft Paint to make the change.
c Copy BannerBackground.png to SAS-config-dir\Lev1\Web\Utilities
\SASThemeExtensions\theme-name\themes\theme-name\images
\semantic\.
2 If you want your BannerBackground.png image to repeat, then add a style override
to the SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions
\theme-name\themes\theme-name\styles\custom.css file:
.banner {
background: url("../images/semantic/BannerBackground.png")
repeat-x scroll left top transparent;
}
TIP As an alternative to step 1, you can change the URL value to specify a
different image, if you prefer.
Note: The corporate design shares the .banner style with the classic design. If you
include the preceding .banner style in your custom.css file, then the
BannerBackground.png appears in the corporate design—which might be
undesirable. You can either create a BannerBackground.png image that works well
for both the classic and corporate designs, or you can eliminate
BannerBackground.png by adding the following style to your custom.css file:
.banner {
background: none;
}
Logon Banner Background Color
This setting applies to the classic design only. If you want to change the banner
background color that is to the right of the banner background image, edit SASconfig-dir\Lev1\Web\Utilities\SASThemeExtensions\theme-name
\Velocity\Stylesheets\Common\contexts\themes\theme-name
\logon.theme-name.vtl. Change the Logon_Classic_Banner_Background_Color
value.
Migrating Custom Themes
195
LogonArtTile.gif File
This file is not used in the new logon page for the classic or corporate designs. You do
not need to migrate it.
LogonArtTop.gif File
To migrate your custom LogonArtTop.gif file:
1 Copy your custom LogonArtTop.gif from SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions\theme-name\images\Common\ to SASconfig-dir\Lev1\Web\Utilities\SASThemeExtensions\theme-name
\images\semantic\.
2 If you want this image to repeat down the page from top to bottom, edit the
custom.css file and add a repeat-y attribute as shown in the following example:
.content {
background: url("../images/semantic/LogonArtTop.gif")
repeat-y scroll 0 5em transparent;
}
TIP As an alternative to step 1, you can change the URL value to specify a
different image, if you prefer.
Note: Similar to the .banner style, the .content style is used by both the classic
and corporate designs. One setting might not look attractive on both designs. If you
want to eliminate the graphic from the designs, you can set it to none
(background: none;).
Colors for the Classic Design
To customize the color for the About link that appears in the banner for the classic
design:
1 Edit SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions\theme-
name\Velocity\Stylesheets\Common\contexts\themes\theme-name
\logon.theme-name.vtl.
2 Change the Logon_Classic_About_Link_Color value to a color that works well with
your custom theme's Banner_UtilityBar_Background_Color value in SAS-config-
196 Chapter 12 / Administering SAS Web Application Themes
dir\Lev1\Web\Utilities\SASThemeExtensions\theme-name\Velocity
\Stylesheets\Common\contexts\themes\theme-name
\components.theme-name.vtl.
3 Change the additional About colors as needed. These are
Logon_Classic_About_Link_Focus_Color and
Logon_Classic_About_Link_Hover_Background_Color.
4 Adjust other Logon_Classic* colors in the logon.theme-name.vtl, as needed.
Colors for the Corporate Design
To customize the colors for the corporate design:
1 Edit SAS-config-dir\Lev1\Web\Utilities\SASThemeExtensions\theme-
name\Velocity\Stylesheets\Common\contexts\themes\theme-name
\logon.theme-name.vtl.
This file is used by the classic and corporate designs. The rest of the instructions
apply to modifying the corporate-related design colors.
2 Change the page body color:
a Change Logon_Corporate_Body_Background_Color to one in your theme’s color
palette or set to white (#FFFFFF) to match the classic design.
b Set Logon_Corporate_Body_Background_Gradient_Start_Color and
Logon_Corporate_Body_Background_Gradient_End_Color to the same color as
Logon_Corporate_Body_Background_Color.
3 Change the page text color by setting Logon_Corporate_Page_Text_Color to one in
your theme’s color palette or set to black (#000000) to match the classic design.
4 Change the About link colors:
a Change the Logon_Corporate_About_Link_Color value to a color that works well
with your custom theme's color palette.
Migrating Custom Themes
197
b Change additional About colors as needed. These are
Logon_Corporate_About_Link_Focus_Color and
Logon_Corporate_About_Link_Hover_Background_Color.
5 Adjust other Logon_Corporate* colors in the logon.theme-name.vtl, as needed.
Additional Changes for the Corporate Design
If you are migrating the corporate design, edit the SAS-config-dir\Lev1\Web
\Utilities\SASThemeExtensions\theme-name\themes\theme-name\styles
\custom.css file and add the following styles:
body {
filter: none;
-ms-filter: none;
}
#page {
/*
* The following is required to override background image. It does not
* inherit the color key value.
*/
background: insert-Logon_Corporate_Body_Background_Color-value;
}
.logonabout a:link {
text-shadow: none;
}
.logonabout a:hover {
background: none;
}
.logonhd h1 {
text-shadow: none;
}
.message {
background: none;
filter: none;
}
.message h2 {
text-shadow: none;
}
.message.info {
text-shadow: none;
}
.message.error {
text-shadow: none;
}
.message.warning {
198 Chapter 12 / Administering SAS Web Application Themes
text-shadow: none;
}
.main {
background: none;
-moz-border-radius: 0px;
-webkit-border-radius: 0px;
-khtml-border-radius: 0px;
border-radius: 0px;
}
Rebuild SAS Themes
After previous changes are made to migrate your custom theme, run SAS Deployment
Manager to rebuild the SAS Themes application. When this is complete, redeploy SAS
Web Application Themes to the web application server and restart it.
199
13
Administering SAS Flex Application
Themes
Introduction to SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . 199
Benefits of SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . 200
Location of SAS Flex Application Themes . . . . . . . . . . . . . . . . . . . . . . . . . 200
Introduction to SAS Flex Application
Themes
Some SAS Web applications, such as SAS BI Dashboard and SAS BI Portlets, are
displayed with the Flex interface that is provided by SAS Flex Application Themes. At
start-up time, Flex applications load Flex themes automatically. A theme consists of
ShockWave Flash (SWF) files that include cascading style sheets (CSS) files. The
theme content is downloaded to the client and is cached by the user's web browser. As
a result, subsequent uses of the web application result in quicker loading of theme
content than it is at initial loading. The SAS Corporate theme is the default theme for all
Flex applications.
Themes can be created with the SAS Theme Designer for Flex. For information about
custom themes for Flex applications, see SAS Theme Designer for Flex User’s Guide.
200 Chapter 13 / Administering SAS Flex Application Themes
Benefits of SAS Flex Application
Themes
SAS Flex Application Themes are required for Flex applications, and they are
downloaded as SWF files to the client's web browser. Flex theme content runs within
the Adobe Flash player and offers the following benefits:
n
SAS Flex Application Themes coexist with SAS Web Application Themes. For
example, SAS Information Delivery Portal uses the default web theme, but it
displays SAS BI Portlets with SAS Flex Application Themes.
n
Applications that use SAS Flex Application Themes offer more visual impact,
interactivity, and responsiveness.
n
Improved visual impact and perceived depth are achieved through the use of skins.
Skins are graphics that are applied to common user interface components that
change their appearance. For example, the Corporate theme provides skins with a
color palette that reflects the SAS visual identity. Skins also include some stylized
graphics in the user interface.
Location of SAS Flex Application
Themes
SAS Flex Application Theme files are located in the SAS-config-dir\Lev1\Web
\Staging\sas.flexthemes4.1.ear file.
201
Part 4
Advanced Topics
Chapter 14
Best Practices for Configuring Your Middle Tier . . . . . . . . . . . . 203
Chapter 15
High-Availability Features in the Middle Tier . . . . . . . . . . . . . . . . . 217
Chapter 16
Enterprise Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Chapter 17
Middle-Tier Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
202
203
14
Best Practices for Configuring Your
Middle Tier
Sample Middle-Tier Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . 204
Overview of Middle-Tier Deployment Scenarios . . . . . . . . . . . . . . . . . . 204
Scenario 1: Web Applications Deployed in a
Single Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Scenario 2: Web Applications Deployed across a
Web Application Server Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Adding a Vertical Cluster Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Adding a Horizontal Cluster Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Tuning the Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring HTTP Sessions in Environments
with Proxy Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Resolve HTTP Session Requests in a Secure Environment . . . . 215
204 Chapter 14 / Best Practices for Configuring Your Middle Tier
Sample Middle-Tier Deployment
Scenarios
Overview of Middle-Tier Deployment
Scenarios
This section describes sample topologies for the middle-tier components. These sample
topologies can help you design a middle-tier configuration that meets the needs of your
organization with regard to performance, security, maintenance, and other factors.
As with all tiers in the SAS Intelligence Platform, deployment of the middle tier involves
careful planning. When you design and plan the middle tier, you must balance
performance requirements against a number of other criteria.
The topologies that are presented in the following sections range from simple to
complex. Scenario 1 represents the deployment that results from using the SAS
Deployment Wizard to configure all the middle-tier software automatically and deploy
the SAS web applications. Scenario 2 provides advanced features, such as greater
security and efficiency, but can require more effort to implement and to maintain.
All scenarios include the SAS server tier. The server tier consists of a SAS Metadata
Server that resides on a dedicated machine. The server tier also includes additional
systems that run various SAS Application Servers, including SAS Workspace Servers,
SAS Pooled Workspace Servers, SAS Stored Process Servers, and SAS OLAP
Servers.
Scenario 1: Web Applications Deployed in a
Single Web Application Server
Overview
This scenario illustrates the most basic topology. All of the SAS middle-tier components
are installed on a single system. All the SAS web applications run in a single SAS Web
Application Server instance.
Sample Middle-Tier Deployment Scenarios
The following figure illustrates the topology for Scenario 1.
Figure 14.1 Scenario 1: Middle-Tier on a Single System
Clients
Middle Tier
SAS Servers
Web Browser
SAS Web Server
SAS Web Infrastructure
Platform Data Server
SAS Web Application Server
SAS Web Infrastructure Platform
SAS Content Server
SAS Stored Process
SAS Package Viewer
SAS Web Application Themes
SAS Themes for Flex Applications
SAS Information Delivery Portal
SAS BI Portlets
SAS Web Report Studio
SAS BI Dashboard
SAS Help Viewer for the Web
SAS Workflow
SAS Web Administration Console
SAS Shared Web Assets
SAS Workspace Server
SAS Pooled Workspace Server
SAS OLAP Server
SAS Stored Process Server
SAS Environment
Manager Agent
SAS Theme Designer for Flex
JMS Broker
Cache Locator
SAS Environment Manager
SAS Environment Manager Agent
SAS Metadata Server
Cache Locator
SAS Environment
Manager Agent
205
206 Chapter 14 / Best Practices for Configuring Your Middle Tier
Here are the advantages and disadvantages of this topology:
Table 14.1
Scenario 1 Advantages and Disadvantages
Topic
Advantages
Disadvantages
Security
SAS Web Server acts as a reverse
proxy and provides a layer of
security.
Adding firewalls to the network is a
good next step.
TLS (SSL) can be enabled on the
client side of SAS Web Server
without affecting the work load on
the SAS Web Application Server or
the performance of the applications.
Performance
SAS Web Server is automatically
configured to cache static content.
This topology does not support
hundreds of concurrent users.
Scalability
There are no advantages in this
scenario, but the topology provides
an upward path to clustering web
application servers.
This topology does not support
hundreds of concurrent users.
Availability
None
This topology has no provision for
planned or unplanned down time.
Maintainability
The SAS Deployment Wizard can
automate the configuration and
deployment.
None
This topology is simple to maintain
and is ideal for development
environments where frequent
changes might be required.
Further Considerations for Scenario 1
As the maintainability advantages in the previous table indicates, scenario 1 is easy to
implement. This middle-tier topology can be completely installed and configured by the
SAS Deployment Wizard.
Sample Middle-Tier Deployment Scenarios
207
A variation of this scenario is to use the SAS Deployment Wizard to add web application
server instances on the same middle-tier machine. This is vertical clustering and can be
configured automatically by the SAS Deployment Wizard.
Similar to clustering, the applications can be distributed to different managed servers.
Distributing the applications is similar to clustering in that additional web application
server instances are used. It is different in that the managed server profiles are different
—single instances of the applications are distributed to web application servers rather
than redundant instances. Distributing the applications enables more memory
availability for the applications deployed on each managed server and also increases
the number of users that can be supported. Some SAS Solutions are configured with
multiple servers by the SAS Deployment Wizard automatically. However, you can
choose to configure multiple managed servers by running the wizard with the custom
prompting level and selecting this feature.
Scenario 2: Web Applications Deployed
across a Web Application Server Cluster
Overview
The sample topology in this scenario includes a cluster of web application servers and
deploys SAS Web Server on its own machine.
The following figure illustrates the sample topology. In most cases, the SAS Web
Application Server instances and applications are identically configured. Some
applications, such as SAS BI Dashboard Event Generator, and some SAS solutions
208 Chapter 14 / Best Practices for Configuring Your Middle Tier
applications cannot be clustered. Those are examples of when the server instances and
applications are not identically configured.
Figure 14.2
Scenario 2: Clustered Web Application Servers
Clients
HTTP Server
Middle Tier
Web Browser
SAS Web Application Server
SAS Web Server
SAS Servers
SAS Web Infrastructure
Platform Data Server
SAS Web Infrastructure Platform
SAS Content Server
SAS Environment
Manager Agent
SAS Stored Process
SAS Package Viewer
SAS Web Application Themes
SAS Themes for Flex
Applications
SAS Information Delivery Portal
SAS BI Portlets
SAS Web Report Studio
SAS BI Dashboard
SAS Help Viewer for the Web
SAS Workflow
Protocol
Firewall
Domain
Firewall
SAS Web Administration
Console
SAS Shared Web Assets
SAS Workspace Server
SAS Pooled Workspace Server
SAS OLAP Server
SAS Stored Process Server
SAS Environment
Manager Agent
SAS Theme Designer for Flex
Cache Locator
JMS Broker
SAS Environment Manager
SAS Environment
Manager Agent
SAS Metadata Server
Cache Locator
SAS Environment
Manager Agent
The majority of the topology can be configured automatically with SAS software.
Because SAS Web Server is deployed on its own machine, it can be configured
Sample Middle-Tier Deployment Scenarios
209
automatically with the SAS Deployment Wizard or configured manually. Here are the
advantages and disadvantages of this topology:
Table 14.2
Scenario 2 Advantages and Disadvantages
Topic
Advantages
Disadvantages
Security
The SAS web applications and the
web application server cluster are
protected by firewalls.
None
The web application server and
SAS web applications can be
configured to perform web
authentication for single sign-on to
the applications and other web
resources in the network.
Performance
Response time is improved
because static content is cached by
SAS Web Server.
None
The greater computing capacity of
the web application server cluster
also improves performance.
Scalability
Once the cluster is established,
additional server instances can be
added to support larger numbers of
concurrent users.
None
Availability
Clustering provides fault isolation
that is not possible with a single
web application server. If a machine
in the cluster fails, then only the
users with active sessions on that
machine are affected.
SAS Web Server remains a single
point of failure. Software and
hardware high-availability options
exist to mitigate this disadvantage.
You can plan downtime for
maintenance by taking some
servers offline. New requests are
then directed to the applications
deployed on the remaining servers
while maintenance is performed.
210 Chapter 14 / Best Practices for Configuring Your Middle Tier
Topic
Advantages
Disadvantages
Maintainability
Configuration and deployment of
the cluster and the applications can
still be automated with the SAS
Deployment Wizard.
Some operations, such as
redeploying web applications, can
require more effort when more
machines are used.
Understanding Clusters
In order to provide greater scalability, availability, and robustness, SAS Web Application
Server supports both vertical and horizontal clustering. With clustering, multiple server
instances participate in a load-balancing scheme to handle client requests. Workload
distribution is managed by the SAS Web Server. SAS Web Server is configured as a
load-balancing HTTP proxy.
The server instances in a cluster can coexist on the same machine (vertical clustering),
or the server instances can run on a group of middle-tier server machines (horizontal
clustering). The web applications can be deployed on both vertical and horizontal
clusters.
Requirement for Session Affinity
For SAS web applications to be deployed into a clustered environment, the SAS Web
Server implements session affinity. Session affinity is an association between a web
application server and a client that requests an HTTP session with that server. This
association is known in the industry by several terms, including session affinity, server
affinity, and sticky sessions. With session affinity, once a client has been assigned to a
session with a web application server, the client remains with that server for the duration
of the session. By default, session affinity is enabled.
Understanding Demilitarized Zones
Many organizations use a series of firewalls to create a demilitarized zone (DMZ)
between their servers and the client applications. A DMZ provides a network barrier
between the servers and the clients. A DMZ provides this protection whether the clients
reside within the organization's computing infrastructure (intranet) or reside outside the
organization on the Internet.
In the previous figure, the outer firewall that connects to the public network is called the
domain firewall. Typically, only the HTTP (80) and HTTPS (443) network ports are open
Adding a Vertical Cluster Member
211
through this firewall. Servers that reside directly behind this firewall are exposed to a
wide range of clients through these limited ports, and as a result the servers are not fully
secure.
An additional firewall, the protocol firewall, is configured between the non-secure
machines in the DMZ and the machines in the secure middle-tier network. The protocol
firewall has additional network ports open. However, the range of IP addresses that are
allowed to make connections is typically restricted to the IP addresses of the servers
that reside in the DMZ.
The DMZ usually contains HTTP servers, reverse proxies, and load-balancing software
and hardware. Do not deploy SAS Web Application Server or any SAS servers that
handle important business logic, data, or metadata in the DMZ.
If your applications are accessed by clients through the Internet, then you should
include a DMZ as part of your deployment in order to safeguard critical information. For
deployments on a corporate intranet, you might want to implement a DMZ as an
additional layer of security.
Adding a Vertical Cluster Member
Vertical clustering is the practice of deploying multiple identically configured web
application server instances on a single machine. This can assist with improving
performance so long as the hardware is sufficiently powerful to run additional server
instances. It can also offer some improvement for availability. In the event that one web
application server instance crashes (or an application on one server instance stops), the
applications remain available on the other web application server instances.
To add a vertical cluster member:
1 Stop the web application server instance and other middle-tier servers.
SAS-config-dir\Lev1\Web\Scripts\AppServer\appsrvconfig.cmd stop
2 Locate the SAS software depot on the machine and start the SAS Deployment
Wizard. When you start the SAS Deployment Wizard, specify your plan file or select
the plan that you used from the list of standard plans.
212 Chapter 14 / Best Practices for Configuring Your Middle Tier
3 When offered the choice to install and configure software, select the check box for
configuring software, clear the check box for installing software, and click Next.
4 When you specify the configuration directory, the wizard provides a warning that the
directory contains existing files. Click Yes to confirm the warning.
5 On the Select Products to Configure page, select the check box for SAS Web
Application Server Configuration only and click Next.
6 On the Web Application Server: Managed Server Ports page, use the Cluster
Member Multiplier menu to specify the number of web application server instances
to configure.
For the pages before this one, and after it, specify the same values that were
entered during the initial configuration.
7 Stop the middle-tier servers again (they were started when the SAS Deployment
Wizard completed).
SAS-config-dir\Lev1\Web\Scripts\AppServer\appsrvconfig.cmd stop
8 Configure the SAS web applications and resources, such JDBC data sources and
JMS queues.
SAS-config-dir\Lev1\Web\Scripts\AppServer\appsrvconfig.cmd -a
The configuration scripting tool (appsrvconfig.cmd) starts the servers when it
completes.
TIP Log on to SAS Environment Manager and add the new servers to your inventory.
Adding a Horizontal Cluster Member
Horizontal clustering is the practice of deploying SAS Web Application Server instances
on multiple machines. This can assist with improving performance and provide greater
availability to guard against hardware failure. In the event that one machine or web
Adding a Horizontal Cluster Member
213
application server instance crashes (or an application on one server instance stops), the
applications remain available on the other machines.
The SAS Deployment Wizard is used to add an additional middle-tier node. When it
runs, it performs the following tasks:
n
installs and configures a SAS Web Application Server instance
n
configures SAS Web Server to load-balance HTTP requests to the new server
instance
n
starts the server instance
To add a horizontal cluster member:
1 On the machine that hosts the SAS Web Server, make sure the SAS Deployment
Agent is running. The agent can be started from SASHome\SASDeploymentAgent
\9.4\agent.bat start.
If the first instance of SAS Web Application Server is not installed on the same
machine as SAS Web Server, then start the deployment agent on that machine too.
2 Copy the SAS software depot to the machine to use, or make sure the depot is
available from a network share.
3 Start the SAS Deployment Wizard on the new machine to use. On the deployment
step page, select Middle Tier Node.
Display 14.1
Select Deployment Step and Products to Install Page
214 Chapter 14 / Best Practices for Configuring Your Middle Tier
Note: You can use the Cluster Member Multiplier menu on the Web Application
Server: Managed Server Ports page to combine vertical clustering with horizontal
clustering.
4 On the first web application server instance that was configured with the SAS
Deployment Wizard, set the following JVM option when the SAS Deployment Wizard
completes.
-Dcom.sas.server.isclustered=true
After you make this change, restart the web application server instance.
TIP Log on to SAS Environment Manager and add the new machine and servers to
your inventory.
Tuning the Web Application Server
In addition to specifying Java Virtual Machine options, you can improve the performance
of SAS web applications by configuring other aspects of the web application server's
behavior. For example, two obvious ways to improve the performance of any web
application are:
n
to limit the frequency with which servers check for updated JavaServer Pages and
servlets
n
to make sure that the server can create sufficient threads to service incoming
requests
SAS provides a set of JVM option settings in the Instructions.html file that is generated
by the SAS Deployment Wizard. Use those settings as a starting point for your tuning.
Configuring HTTP Sessions in Environments with Proxy Configurations
215
Configuring HTTP Sessions in
Environments with Proxy Configurations
Resolve HTTP Session Requests in a Secure
Environment
SAS Web Report Studio uses absolute URL addresses that must be associated with the
correct HTTP session. The SAS Logon Manager knows only the address that is stored
in metadata, and the SAS Logon Manager redirects requests to that location.
If that address differs from the URL specified by the user, then the user's session is not
tracked correctly. (For example, suppose the user specifies the internal address
http://shortname/application instead of the external address http://
shortname.example.com/application.)
When SAS Web Report Studio receives an HTTP request, the request is redirected to
the SAS Logon Manager. The SAS Logon Manager authenticates the request, and
redirects it back to SAS Web Report Studio.
An exception applies to this process if your environment has any front-end processor
(for example, Apache HTTP Server, web clustering, IBM Tivoli Access Manager
WebSEAL, or CA SiteMinder) configured. In these scenarios, or if a reverse proxy is
configured with WebSEAL, the HTTP session request comes via an internal address.
For example, the request might come via http://host:port/application instead of
an external address http://proxiedhost/application. This sequence of events
triggers a redirection filter, which typically sends the request to a location in the
metadata where the request format is expected in the form of shortname.example.com.
However, the redirection filter is not required because the proxy sends the request to
the same location, and the same address is always used.
To ensure successful resolution of HTTP session requests in a secure environment
(any environment with a front-end processor), the redirection filter must be disabled for
SAS Web Report Studio. In addition, it is highly recommended that you disable this filter
for all SAS applications.
216 Chapter 14 / Best Practices for Configuring Your Middle Tier
To disable the redirection filter for all SAS web applications, follow these steps:
1 In SAS Management Console, navigate to Plug-ins  Application Management 
Configuration Manager  SAS Application Infrastructure Properties and rightclick to display the SAS Application Infrastructure Properties dialog box.
2 Click the Advanced tab.
3 Click Add to display the Define New Property Window.
4 Enter the property name as shown, and specify the property value:
Property Name: App.RedirectionFilterDisabled
Property Value: True
5 Click OK to exit the Define New Property window.
6 Click OK to exit the SAS Application Infrastructure Properties dialog box.
7 To enable this change to go into effect, restart SAS Web Application Server.
217
15
High-Availability Features in the Middle
Tier
Overview of High-Availability Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
SAS Web Application Server Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Update the Connection to the Relational Database . . . . . . . . . . . . . . 221
Update the Connection to JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
JMS Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Cache Locator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Number of Installed Cache Locators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Configuration Steps for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Configuration Steps for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
SAS Environment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
SAS Web Infrastructure Platform Data Server . . . . . . . . . . . . . . . . . . . . 229
About This Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Install the Server Software on an Additional Machine . . . . . . . . . . . 230
Configure the Primary and Secondary Server . . . . . . . . . . . . . . . . . . . . 231
Usage Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
218 Chapter 15 / High-Availability Features in the Middle Tier
Overview of High-Availability Features
The SAS middle tier can be configured for high availability. Some components, like SAS
Web Application Server, can be configured in a cluster automatically. Other
components, like JMS Broker, require manual configuration to enable high availability.
The following sections provide information about strategies for enabling high availability
for each component in the middle tier.
SAS Web Server
SAS Web Server is used as a load balancer for distributing HTTP requests to SAS Web
Application Server instances. The web server is the unique access point for customer to
access all SAS web applications. It detects when an application server in the cluster is
down and routes requests to other nodes. However, it does not have the capability to
monitor the availability of individual web applications, or to monitor the health of an
application server that is running, but might be performing poorly.
A single instance of the web server can be installed with the SAS Deployment Wizard.
Additional instances must be configured manually by copying an existing instance to the
machines to use. From that point, there are several options to achieve high availability:
n
Hardware strategy You can run multiple identical web server instances behind a
hardware load balancer. Because the web server is stateless, the server instances
can be cloned. There is no overhead for session management. There is no failover,
but the next request after the failure is directed to a running web server instance.
Session stickiness to the web application server is honored by any web server
instance. Multiple hardware load balancers can be used in combination with roundrobin DNS (the next strategy) if you require it.
n
Round-robin DNS strategy Multiple identical web server instances can be run on
different hosts, and a special DNS name is created to resolve to multiple IP
addresses. When clients resolve the name with DNS, they receive a list of IP
SAS Web Server 219
addresses to use. Typically, the first IP address in the list is selected and some
clients might use the next IP address if the connection times out. The DNS server
rotates the sequence of the IP addresses that it returns with each request. Some
products can be configured to drop an IP address from the list if a heartbeat stops.
Round-robin DNS has some limitations but is simple and widely used.
n
Operating system strategy You can use high-availability features in the operating
system to achieve failover for the web server. Configure the web server identically
on the main machine and on the hot standby. The two machines maintain a
heartbeat between them. If the main machine fails or runs into difficultly, the
operating system on the hot standby machine assumes the network address of the
main machine and starts to service requests. Operating system failover support is
available with Windows Server 2008 failover clusters and Red Hat failover domains.
For other operating systems, such as IBM AIX or Oracle Solaris, there are similar
functions to support high availability for failover. See your vendor documentation for
more information.
To install additional web server instances, you can use the Install Additional Software
option for the SAS Deployment Wizard and install SAS Web Server only. After the
software is installed, you can copy SAS-config-dir\Lev1\Web\WebServer from
the primary machine to the additional machine. You need to modify the httpd.conf file so
that the ServerName property matches the host name. You might need to set
additional configuration options to match your network topology or to match features
that are enabled in your deployment, such as HTTPS.
For the hardware-based strategy and the round-robin DNS strategy, perform the
following tasks:
1 Update the connection information for each web application. For more information,
see “Specifying Connection Properties” on page 75.
2 Based on the network topology or protocol change, perform the tasks that apply from
“Manual Configuration Tasks” on page 155.
3 Edit the SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml file and specify the new connection information in the proxyName
attribute for the Connector.
220 Chapter 15 / High-Availability Features in the Middle Tier
4 Update the server for SAS Environment Manager with the new connection
information. Edit the following files and specify the correct host name and port:
n
SAS-config-dir\Lev1\Web\SASEnvironmentManager\server-5.0.0EE\hq-engine\hq-server\webapps\ROOT\WEB-INF\web.xml
n
SAS-config-dir\Lev1\Web\SASEnvironmentManager\server-5.0.0EE\hq-engine\hq-server\webapps\ROOT\WEB-INF\spring\securityweb-context.xml
SAS Web Application Server
SAS Web Application Server Clustering
You can configure a cluster of SAS Web Application Server instances to provide high
availability for the SAS web applications. SAS Web Server provides load balancing to
direct requests to the web application server instances. You can use the SAS
Deployment Wizard to configure a vertical or horizontal cluster automatically.
SAS Web Server uses both cookies and URL encoding for session stickiness. As a
result, requests are proxied to the same SAS Web Application Server instance where
the session was established. Session replication across the cluster is not supported. If
an instance becomes unavailable, subsequent requests are sent to a different server
instance, but the original session and any data in the session are lost. Users do not
need to log on again because the browser maintains a ticket granting ticket cookie from
the CAS servlet in SAS Logon Manager.
SAS Environment Manager and the SAS web applications rely on the SAS Logon
Manager web application for authentication. In a clustered configuration, a failure of a
web application server instance that hosts SAS Logon Manager causes a brief impact to
users that do not already have a session. Once SAS Web Server detects that the web
application server instance is unavailable, it directs subsequent requests to available
instances. There is no impact for users who already have a session. Restarting a web
application server instance that hosts SAS Logon Manager does not require a restart of
any other web applications that rely on it for authentication.
SAS Web Application Server
221
See Also
n
“Understanding Clusters” on page 210
n
“Adding a Horizontal Cluster Member” on page 212
Update the Connection to the Relational
Database
SAS Web Application Server uses the SAS Web Infrastructure Platform Data Server (or
a third-party vendor database). The web application server is configured to test the
database when it provides a new connection from the connection pool. The checks
occur, at most, every 30 seconds. As a result, the web application server can recover
from a failover or restart of the database but can experience up to 30 seconds of trouble
connecting to the database before it recovers.
The following steps show how to configure SAS Web Application Server to take
advantage of SAS Web Infrastructure Platform Data Server when it is configured for
high availability. If you use a third-party vendor database, the steps for using a high
availability JDBC driver and modifying the server.xml file are similar.
To configure SAS Web Application Server for a high-availability SAS Web Infrastructure
Platform Data Server, follow these steps:
1 Copy the hapostgresql.jar and ha-jdbc-properties.xml files from SASHome
\SASWebInfrastructureDataBaseJDBCDrivers\9.4\Driver to SASconfig-dir\Lev1\Web\WebAppServer\SASSServern_m\lib.
2 Edit the SAS-config-dir\Lev1\Web\WebAppServer\SASSServern_m\conf
\server.xml file. Locate the JDBC resources that use
org.postgresql.Driver and change the driverClassName attribute to
com.sas.postgres.ha.Driver. Then change the JDBC subprotocol. See the
following example:
<Resource auth="Container" driverClassName="com.sas.postgres.ha.Driver"
factory="com.sas.vfabrictcsvr.atomikos.BeanFactory" maxPoolSize="100"
minPoolSize="10" name="sas/jdbc/SharedServices"
password="${pw.sas.jdbc.SharedServices}" testQuery="select 1"
type="com.atomikos.jdbc.nonxa.AtomikosNonXADataSourceBean"
uniqueResourceName="sas/jdbc/SharedServices"
222 Chapter 15 / High-Availability Features in the Middle Tier
/>
url="jdbc:hapostgresql://primary.example.com:9432/SharedServices"
user="SharedServices"
3 Edit the ha-jdbc-properties.xml file. The file includes sample configuration values.
Use the following information for reference:
a Set activeServerCount to the number of data server instances. A value of
zero for this property, or a missing configuration file, results in the driver running
in pass-through mode to the standard driver.
b Add the following elements:
activeServerHostn
specifies the host name for the data server.
activeServerDBn
(optional) specifies the database name.
activeServerPortn
(optional) specifies the network port number for the data server.
If you want to monitor the high-availability JDBC driver, you can include logging
information in the SAS Web Application Server logs. Edit the SASServern_m\lib
\log4j.xml file and a category that is similar to the following example:
<!-- =================== -->
<!-- HA driver logging
-->
<!-- =================== -->
<category additivity="false" name="com.sas.postgres.ha">
<priority value="INFO"/>
<appender-ref ref="CONSOLE"/>
<appender-ref ref="FILE"/>
</category>
Update the Connection to JMS Broker
If you configure JMS Broker for high availability, then you need to update the connection
information in SAS Web Application Server.
JMS Broker 223
To configure SAS Web Application Server for a high-availability broker connection, edit
SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml. Locate the Resource elements that use the
org.apache.activemq.ActiveMQXAConnectionFactory class name and update
the xaProperties.brokerURL attribute as follows:
<Resource auth="Container"
factory="com.sas.vfabrictcsvr.atomikos.BeanFactory" maxPoolSize="20"
name="sas/jms/TopicConnectionFactory"
type="com.atomikos.jms.AtomikosConnectionFactoryBean"
uniqueResourceName="sas/jms/TopicConnectionFactory"
xaConnectionFactoryClassName="org.apache.activemq.ActiveMQXAConnectionFactory"
xaProperties.brokerURL="failover:tcp://primary.example.com:61616,tcp://secondary.e
/>
JMS Broker
The broker is based on Apache ActiveMQ. The Apache documentation offers more than
one strategy for enabling high availability. One method is to use the Shared File System
Master Slave configuration.
The SAS Deployment Wizard does not install or configure an additional instance of the
broker. You can add an instance by archiving the component directory and extracting
the archive on an additional machine.
To configure high availability for the broker:
1 In the existing Active MQ directory, edit the SAS-config-dir\Lev1\Web
\activemq\conf\activemq.xml file.
2 Change the directory that is specified in the kahaDB element. It initially references $
{activemq.data}/kahadb. Specify a directory that is shared between the
machines that you want to use:
<kahaDB directory="/shared/directory/kahadb"/>
3 Archive SAS-config-dir\Lev1\Web\activemq with a utility like zip or tar and
then extract the files on the additional machine. Use an identical directory structure.
224 Chapter 15 / High-Availability Features in the Middle Tier
4 Edit the SAS-config-dir\Lev1\Web\WebAppServer\SASServern_m/conf/
server.xml file. Change all the brokerURL attributes for the resources to
resemble the following example:
brokerURL="failover://(tcp://primary.example.com:61616,tcp://secondary.example.com:6
For more information about the broker implementation, see http://
activemq.apache.org/shared-file-system-master-slave.html.
See Also
“Update the Connection to JMS Broker” on page 222
Cache Locator
Number of Installed Cache Locators
The locator is used to tell new, connecting members like SAS Web Application Server
where running members are located and provides load balancing for server use.
Whether one or two locators are installed depends on your deployment topology:
n
In a single machine deployment, the SAS Deployment Wizard prompts for a cache
locator port on the Web Application Server: Cache Locator Configuration and
Scheduling Services Cache Locator pages. If you specify different port numbers,
then two locators are configured.
n
In a multiple machine deployment, two locators are configured. One is configured on
the primary middle-tier machine and one is configured on the server-tier machine.
The SAS Deployment Wizard does not install and configure more than two locators. The
two locators are peers and when one is down, the other can do all the work. The two
locators provide a failover support.
Cache Locator
225
Configuration Steps for Windows
To configure an additional locator for Windows deployments, follow these steps:
1 On the primary middle-tier machine, the locator software is archived at SAS-
config-dir\Lev1\Web\Scripts\AppServer\src\Config\vfabrictcsvr
\gemfire663.zip
2 Extract the archive to the identical SAS-config-dir\Lev1\Web\gemfire
directory on the additional machine.
3 Create an instance directory that is identical to the primary machine, for example
SAS-config-dir\Lev1\Web\gemfire\instances\ins_41415.
4 Copy the files from the instance directory on the primary machine to the additional
machine.
5 Copy the gemfire\bin\winx86_64\wrapper.conf to the instance directory
(gemfire\instances\ins_41415).
Update the following lines in the wrapper.conf file:
set.GEMFIRE_HOME=../..
set.INSTANCE_NAME=ins_41415
set.INSTANCE_PORT=41415
set.JAVA_HOME=$globalResource.jreHome
set.GEMFIRE_SERVICE_NAME=SAS [Config-Lev1] SAS Cache Locator 41415
set.GEMFIRE_LOCATORS=primary.example.com[41415],secondary.example.com[41415]
Specify a comma-separated list of all the locators in the GEMFIRE_LOCATORS
property.
6 Install Windows service for SAS Cache Locator:
C:\SAS\Config\Lev1\Web\gemfire\bin\winx86_64\installservice.bat
7 Start the locator with the Windows service name SAS [Config-Lev1] SAS
Cache Locator 41415.
226 Chapter 15 / High-Availability Features in the Middle Tier
8 Using the same list of locators (primary.example.com[41415],
secondary.example.com[41415]), to update the following items:
n
Update the wrapper.conf file for all the previously installed locators with the
complete list of locators.
n
Update the -Dsas.cache.locators JVM option for all SAS Web Application
Server instances with the complete list of locators.
n
Update the -Dsas.cache.locators JVM option for all instances of the SAS
Web Infrastructure Platform Scheduling Services with the complete list of
locators. The change is made in the SAS-config-dir\Lev1\Web
\Applications\SASWIPSchedulingServices9.4\servicetrigger.ini
file.
Configuration Steps for UNIX
To configure an additional locator for UNIX deployments, follow these steps:
1 On the primary middle-tier machine, the locator software is archived at SAS-
config-dir\Lev1\Web\Scripts\AppServer\src\Config\vfabrictcsvr
\gemfire663.zip
2 Extract the archive to the identical SAS-config-dir\Lev1\Web\gemfire
directory on the additional machine.
3 Update the following files to be executable:
dos2unix SAS-config-dir/Lev1/Web/gemfire/bin/gemfire
chmod 755 SAS-config-dir/Lev1/Web/gemfire/bin/gemfire
dos2unix SAS-config-dir/Lev1/Web/gemfire/bin/agent
chmod 755 SAS-config-dir/Lev1/Web/gemfire/bin/agent
dos2unix SAS-config-dir/Lev1/Web/gemfire/bin/cacheserver
chmod 755 SAS-config-dir/Lev1/Web/gemfire/bin/cacheserver
dos2unix SAS-config-dir/Lev1/Web/gemfire/bin/gfsh
chmod 755 SAS-config-dir/Lev1/Web/gemfire/bin/gfsh
dos2unix SAS-config-dir/Lev1/Web/gemfire/bin/gemfire-sas
chmod 755 SAS-config-dir/Lev1/Web/gemfire/bin/gemfire-sas
chmod 755 SAS-config-dir/Lev1/Web/gemfire/lib/*.so
Cache Locator
227
4 Create an instance directory that is identical to the primary machine, for example
SAS-config-dir/Lev1/Web/gemfire/instances/ins_41415.
5 Copy the files from the instance directory on the primary machine to the additional
machine.
6 Update the following lines in the instances/ins_41415/gemfire-locator.sh
file:
GF_JAVA=/SASHome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/java
export GF_JAVA
LOCATOR_HOME=/SAS-config-dir/Lev1/Web/gemfire
GEMFIRE_LICENCE_KEY=6M0C3-4VW9H-M8J40-0D52F-DTM0H
LOCATOR_PORT=41415
LOCATORS=primary.example.com[41415],secondary.example.com[41415]
USE_IPV4_STACK=false
USE_IPv6_ADDRESS=false
Specify a comma-separated list of all the locators in the LOCATORS property.
7 Update the gemfire-start-locator-sas.sh file to be executable:
chmod 755 /SAS-config-dir/Lev1/Web/gemfire/instances/ins_41415/
gemfire-start-locator-sas.sh
8 Start the locator with the instances/ins_41415/gemfire-locator.sh start
command.
9 Using the same list of locators (primary.example.com[41415],
secondary.example.com[41415]), to update the following items:
n
Update the gemfire-locator.sh file for all the previously installed locators with the
complete list of locators.
n
Update the -Dsas.cache.locators JVM option for all SAS Web Application
Server instances with the complete list of locators.
n
Update the -Dsas.cache.locators JVM option for all instances of the SAS
Web Infrastructure Platform Scheduling Services with the complete list of
locators. The change is made in the SAS-config-dir/Lev1/Web/
Applications/SASWIPSchedulingServices9.4/servicetrigger.ini
file.
228 Chapter 15 / High-Availability Features in the Middle Tier
SAS Environment Manager
SAS Environment Manager supports a hot-standby fail over cluster. An overview of the
concepts is available from http://pubs.vmware.com/vfabricHyperic50/index.jsp?topic=/
com.vmware.vfabric.hyperic.5.0/Clustering_Hyperic_Servers_for_Failover.html.
An operating system-level fail over cluster can be used to replace the hardware-based
load balancer that is mentioned in the VMware documentation. SAS Environment
Manager can be configured to use an external database, so an operating system-level
fail over cluster does not require shared storage devices.
The following list highlights some considerations for SAS deployment:
n
As VMware indicates, the cluster detection and cache peer detection relies on
multicast. Make sure that your router does not block multicast packets. Otherwise,
the cluster fails to initialize properly. It is also common for virtualization technologies
like VMware and Xen to not enable multicast by default.
n
By default, SAS Web Infrastructure Platform Data Server is used to provide the
database for SAS Environment Manager. Even though the data server can be
configured for high availability, you must configure a different database for SAS
Environment Manager to use.
Because SAS installs and configures SAS Environment Manager, the information
provided by VMware about installation and configuration of the initial server instance
and additional instances does not apply. The initial instance is installed and configured
with the SAS Deployment Wizard.
To install and configure additional instances, follow these steps:
1 Use the Install Additional Software option for the SAS Deployment Wizard to
install SAS Foundation and SAS Environment Manager on the remaining cluster
machines. Use the same SASHome path that was used for the initial server
instance.
SAS Web Infrastructure Platform Data Server 229
2 Copy the SAS-config-dir\Lev1\Web\SASEnvironmentManager files and
directories from the first machine to the remaining cluster machines.
3 Edit the server and agent property files to change the host name to the appropriate
value.
4 When you follow the rest of the steps from the VMWare documentation, keep in
mind these two changes:
n
The load balancer needs to route traffic for the HTTPS port 7443 in addition to
port 7080.
n
Steps 5 and 6 in the VMWare documentation should be reversed. The servers
need to be running before you configure the agents with the hq-agent script.
SAS Environment Manager makes calls to applications that are deployed in SAS Web
Application Server. High availability for those applications is enabled when you cluster
SAS Web Application Server.
SAS Web Infrastructure Platform Data
Server
About This Task
The information in this section describes how to configure the server for streaming
replication. It is based on the information that is available from http://
wiki.postgresql.org/wiki/Streaming_Replication. The information is modified to
accommodate for the SAS installation and configuration processes.
Throughout this section, the following terms are used:
primary
the host and SAS Web Infrastructure Platform Data Server that was installed first
with the SAS Deployment Wizard.
230 Chapter 15 / High-Availability Features in the Middle Tier
secondary
an additional machine and instance of the data server that is used for standby
purposes.
Prerequisite
The account that is used to run SAS Web Infrastructure Platform Data Server must be
configured with passwordless SSH between the primary machine and the secondary
machine. If the account is not already configured for passwordless SSH, perform the
following task.
To configure passwordless SSH, follow these steps:
1 Generate a private key that does not use a passphrase:
ssh-keygen -t rsa -P ""
2 Install the public key in the authorized_keys file on the secondary machine:
ssh-copy-id -i ~/.ssh/id_rsa.pub secondary.example.com
3 Log on to the secondary machine, generate a private key, and install the public key
on the primary machine:
ssh secondary.example.com
ssh-keygen -t rsa -P ""
ssh-copy-id -i ~/.ssh/id_rsa.pub primary.example.com
Install the Server Software on an Additional
Machine
To install an additional server instance, you can use the Install Additional Software
option for the SAS Deployment Wizard and install SAS Web Infrastructure Platform
Data Server only. This installs the server software to the SASHome location. The server
configuration directory and files, SAS-config-dir
\Lev1\WebInfrastructurePlatformDataServer, are copied from the primary
server later.
SAS Web Infrastructure Platform Data Server 231
Configure the Primary and Secondary Server
To configure the servers:
1 Stop the existing server if it is not already stopped.
2 Make a SAS-config-dir\Lev1\WebInfrastructurePlatformDataServer
\archive directory on the primary server.
3 Edit the SAS-config-dir\Lev1\WebInfrastructurePlatformDataServer
\data\pg_hba.conf file and add rules that enable the secondary server to act as
replication agent. The following example enables all database users from all
machines to access the primary server for replication:
host
local
replication
replication
all
all
all
trust
trust
4 Edit the SAS-config-dir\Lev1\WebInfrastructurePlatformDataServer
\data\postgresql.conf file and set the following:
listen_address = "*"
wal_level = hot_standby
checkpoint_segments = 30
archive_mode = on
archive_command = 'cp %p /opt/SAS/Config/Lev1/WebInfrastructurePlatformDataServer/ar
max_wal_senders = 10
wal_keep_segments = 5000
hot_standby = on
Note: Adjust the path in the archive_command value to match your deployment.
5 Copy the SAS-config-dir\Lev1\WebInfrastructurePlatformDataServer
\ directory, files, and subdirectories to the standby machine. Use the identical
directory names.
6 On the secondary machine only, create a recovery command file that is named
SAS-config-dir\Lev1\WebInfrastructurePlatformDataServer\data
\recovery.conf. See the following example that applies to streaming replication:
# Note that recovery.conf must be in $PGDATA directory.
232 Chapter 15 / High-Availability Features in the Middle Tier
standby_mode
= 'on'
# Specifies a connection string which is used for the secondary server
# to connect with the primary.
primary_conninfo
= 'hostaddr=192.168.1.119 port=9432 user=dbmsowner'
# Specifies a trigger file whose presence should cause streaming
# replication to end (i.e., failover).
trigger_file = '/path_to/trigger'
# Specifies a command to load archive segments from the WAL archive. If
# wal_keep_segments is a high enough number to retain the WAL segments
# required for the secondary server, this may not be necessary. But
# a large workload can cause segments to be recycled before the secondary
# is fully synchronized, requiring you to start again from a new base backup.
restore_command = 'cp /path_to/archive/%f "%p"'
7 Start the server on the primary machine and then start the server on the secondary
machine.
See Also
“Update the Connection to the Relational Database” on page 221
Usage Notes
How to perform a failover
Create the trigger file on the standby server after the primary server fails.
How to stop the primary server or the standby server
Use the webinfdsvrc.sh command.
How to restart streaming replication after failover
Repeat the configuration steps from step 5. These steps include copying the database
files, some configuration steps, and starting the original primary server as the standby
server. The primary server does not need to be stopped during these operations.
How to restart streaming replication after the standby fails
Restart the standby server after eliminating the cause of failure.
SAS Web Infrastructure Platform Data Server 233
How to disconnect the standby server from the primary server
Create the trigger file on the standby server while the primary server is running. The
standby server starts and stops replicating changes.
How to resynchronize the standby server after isolation
Shut down the standby server as usual. Repeat the configuration steps from step 5.
234 Chapter 15 / High-Availability Features in the Middle Tier
235
16
Enterprise Integration
Configuring the Middle Tier to Use an Existing
Customer Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
About Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuring Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Support for IBM Tivoli Access Manager WebSEAL . . . . . . . . . . . . . . 244
Configure Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Deploy IBM Tivoli Access Manager Apache Tomcat Adapter . . 244
Configure the WebSEAL Junction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Update the Connection Information for SAS Web Applications . 246
Support for CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Configure the Java Unlimited Strength
Cryptography Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configure the Web Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
SAS Web Application Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Configure SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Configure the Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Support for Integrated Windows Authentication . . . . . . . . . . . . . . . . . 259
Overview of Integrated Windows Authentication
in the Middle Tier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
236 Chapter 16 / Enterprise Integration
Verifying Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . 262
Configure Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Configuring the Microsoft Internet Explorer to Use SPNEGO . . . 266
Configuring the Middle Tier to Use an
Existing Customer Reverse Proxy
Some network topologies already have a web server that is used to proxy connections.
In these deployments, you can reconfigure the SAS middle tier so that it interacts with
the existing web server. In these network topologies, it is simplest to keep SAS Web
Server in the deployment so that it can continue to load balance connections to a SAS
Web Application Server cluster.
To use an existing web server proxy:
1 Edit the SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml file. Change the value for the proxyName in the /Service/Connector
element. Check the values for proxyPort and scheme:
<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000"
executor="tomcatThreadPool" maxHttpHeaderSize="16384"
maxKeepAliveRequests="15" port="${bio.http.port}"
protocol="org.apache.coyote.http11.Http11Protocol"
proxyName="proxy.example.com" proxyPort="443"
redirectPort="${bio.https.port}" scheme="https"
useBodyEncodingForURI="true"
/>
If you have more than one SAS Web Application Server instance, make the change
for each one.
Note: If the existing reverse proxy uses HTTPS with a site-signed certificate, import
the certificate to the SASHome\SASPrivateJavaRuntimeEnvironment
\9.4\jre\lib\security\cacerts file.
2 In order to determine which URLs to proxy, review the SAS-config-dir
\Lev1\Web\WebServer\conf\sas.conf file.
Web Authentication
237
Each application that is identified in a pair of ProxyPass and ProxyPassReverse
directives must be proxied.
3 Use SAS Management Console to specify an external connection for each SAS web
application. For more information, see “Specifying Connection Properties” on page
75.
4 Use SAS Management Console to update the WebDAV connection information. For
more information, see “Manual Configuration Tasks” on page 155.
5 Restart SAS Web Application Server.
Web Authentication
About Web Authentication
By default, SAS web applications use the form-based authentication that is provided by
the SAS Logon Manager application. When credentials are provided to SAS Logon
Manager, the credentials are sent to the SAS Metadata Server for authentication. The
metadata server then authenticates the credentials against its authentication provider.
The default provider is the host operating system.
As an alternative, you can configure the SAS web applications to authenticate on the
middle tier. When users log on to a SAS web application, SAS Web Application Server
handles the initial authentication for container-managed security.
Performing web authentication facilitates single sign-on. Most likely, your organization
has several applications behind a common set of reverse proxy and HTTP servers. By
having a common server handle authentication, users do not need to re-authenticate for
access to each application.
See Also
For more information, see Chapter 11, “Authentication Mechanisms,” in SAS
Intelligence Platform: Security Administration Guide.
238 Chapter 16 / Enterprise Integration
Configuring Web Authentication
If you have server instances on multiple machines, then perform these steps on each
machine. If you use vertical clustering (multiple servers on a machine), then you need to
perform these steps only once on the machine. These instructions configure every
instance of SAS Web Application Server on a machine. The following list identifies
some considerations:
n
Before you perform this procedure, make sure that you grant administrators access
to SAS Environment Manager. Once web authentication is configured, internal
accounts like sasadm@saspw are unlikely to exist in the authentication provider that
you use for web authentication.
n
If you have users in SAS metadata that do not have a user ID on the Accounts tab,
then a SAS identity will not be found after authentication to the web application
server container succeeds and authorization takes place. Use SAS Management
Console to create an authentication domain named web. Add an account on the
Accounts tab for each of those users in the web authentication domain.
To configure web authentication, follow these steps:
Modify SAS Logon Manager Installation Files
1 Edit SASHome\SASWebInfrastructurePlatform\9.4\Static\wars
\sas.svcs.logon\WEB-INF\cas-servlet.xml and add the following code
above the closing </beans> tag:
<bean id="principalFromRemoteAction"
class="org.jasig.cas.adaptors.trusted.web.flow.
PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction"
p:centralAuthenticationService-ref="centralAuthenticationService" />
Note: The previous bean definition must be entered on one line. It is shown on
more than one line for display purposes only.
2 Edit SASHome\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.svcs.logon\WEB-INF\deployerConfigContext.xml.orig and add
the following bean definition. Add this within the /beans/
Web Authentication
239
bean[id="authenticationManager"]/
property[name="credentialsToPrincipalResolvers"]/list:
<bean class="org.jasig.cas.adaptors.trusted.authentication.principal.
PrincipalBearingCredentialsToPrincipalResolver" />
Note: The previous bean definition must be entered on one line. It is shown on
more than one line for display purposes only.
3 In the same file, add the following bean definition within the /beans/
bean[id="authenticationManager"]/
property[name="authenticationHandlers"]/list:
<bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.
PrincipalBearingCredentialsAuthenticationHandler" />
Note: The previous bean definition must be entered on one line. It is shown on
more than one line for display purposes only.
4 Edit SASHome/SASWebInfrastructurePlatform/9.4/Static/wars/
sas.svcs.logon/WEB-INF/login-webflow.xml. Locate the following block:
<action-state id="generateLoginTicket">
<evaluate
expression="generateLoginTicketAction.generate(flowRequestContext)" />
<transition on="success" to="viewLoginForm" />
</action-state>
Replace the previous block with the following:
<action-state id="generateLoginTicket">
<evaluate
expression="generateLoginTicketAction.generate(flowRequestContext)" />
<transition on="success" to="remoteAuthenticate" />
</action-state>
<action-state id="remoteAuthenticate">
<evaluate expression="principalFromRemoteAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
5 Edit SASHome\SASWebInfrastructurePlatform\9.4\Configurable\wars
\sas.svcs.logon\WEB-INF\web.xml.orig and add the following code above
the closing </web-app> tag:
240 Chapter 16 / Enterprise Integration
<security-constraint>
<web-resource-collection>
<web-resource-name>
HTMLHostManager and HostManager commands
</web-resource-name>
<url-pattern>/login</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Host Manager Application</realm-name>
</login-config>
<security-role>
<description>The role that is required to log on</description>
<role-name>ROLE_USER</role-name>
</security-role>
Note: Replace ROLE_USER with an attribute that you can use to distinguish users
that are granted access to the web applications.
Note: As an alternative to updating the web.xml.orig file, you can edit the deployed
file, SAS-config-dir\Levn\Web\WebAppServer
\SASServer1_1\sas_webapps\sas.svcs.logon.war\WEB-INF\web.xml.
This avoids the need to rebuild and redeploy the application, but you need to make
sure your changes are not overwritten if the application is redeployed at a later date.
Modify SAS Visual Analytics Transport Service Installation Files
These steps apply to deployments that distribute reports for SAS Mobile BI users. Make
sure that you use BASIC for the auth-method. SAS Mobile BI supports BASIC
authentication only.
6 Edit SASHome\SASVisualAnalyticsServices\6.2\Configurable\wars
\sas.bitransportservices\WEB-INF\web.xml.orig and remove the
comment that encloses the security-constraint:
<!-uncomment for BASIC Auth -->
<security-constraint>
<web-resource-collection>
Web Authentication
241
<web-resource-name>TransportLogin</web-resource-name>
<url-pattern>/onebi/logon</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SASWebUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SASrealm</realm-name>
</login-config>
<security-role>
<role-name>SASWebUser</role-name>
</security-role>
-->
Note: As an alternative to updating the web.xml.orig file, you can edit the deployed
file, SAS-config-dir\Levn\Web\WebAppServer
\SASServer1_1\sas_webapps\sas.bitransportservices.war\WEB-INF
\web.xml. This avoids the need to rebuild and redeploy the application, but you
need to make sure your changes are not overwritten if the application is redeployed
at a later date.
7 Replace the SASWebUser value in the file with an attribute that you can use to
distinguish users that are granted access to the web applications. Using the same
value that was used for SAS Logon Manager is common.
Rebuild and Redeploy Web Applications
8 Use the SAS Deployment Manager to rebuild the SAS web applications. Rebuild
SAS Web Infrastructure Platform.
If you modified SAS Transport Services, also rebuild Visual Analytics Services.
9 Stop SAS Web Application Server and then use the SAS Deployment Manager to
redeploy the SAS Web Infrastructure Platform and Visual Analytics Services (if it
was modified).
Do not start SAS Web Application Server now. Start it when this procedure is
complete.
242 Chapter 16 / Enterprise Integration
Confirm that Users Have Accounts in SAS Metadata
10 Start SAS Management Console and access the User Manager plug-in.
11 Check that each user has an account on the Accounts tab. If any user that requires
access to the web applications does not, then right-click the User Manager plug-in
and select Authentication Domains. Click New and specify web as the name.
12 For each user that does not already have an account on the Accounts tab, add an
account with the user ID in the web authentication domain.
(Optional) Validate the Previous Steps
13 You can validate the previous steps by using "file" validation at this point. This is
possible because SAS configures a UserDatabaseRealm by default in server.xml.
Edit SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\tomcat-users.xml to be something similar to the following example:
<?xml version="1.0"?>
<tomcat-users>
<role rolename="ROLE_USER" />
<user username="sasdemo" password="Password1" roles="ROLE_USER" />
</tomcat-users>
Note: If you have more than one web application server instance, you must copy
the tomcat-users.xml file to each one.
Note: You can substitute a real user account that is in SAS metadata instead of
sasdemo. Either way, the specified user must have an account on the Accounts tab
in metadata.
14 Start SAS Web Application Server and then access an application such as SAS Web
Report Studio. The previous steps are valid if the following occur:
n
you are challenged for credentials
n
the credentials in the tomcat-users.xml file are accepted
n
you are able to access the web application
Web Authentication
243
15 Remember to remove the user and role information when you complete this
procedure.
Configure the Realm for SAS Web Application Server
16 Edit SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml and locate the existing /Server/Service/Engine/Realm
definition.
Note: If you have more than one web application server instance, you must make
the following changes to each one.
17 Modify the realm information so that it accesses the system that you want to use for
identity management. The following is an example for accessing an LDAP server:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionName="cn=Directory Manager,dc=example,dc=com"
connectionPassword="******"
connectionURL="ldap://directory.example.com:389"
roleBase="ou=groups,dc=example,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="false"
userPattern="uid={0},ou=people,dc=example,dc=com"
/>
TIP This sample realm replaces the UserDatabaseRealm inside the
LockoutRealm. For more information, see http://tomcat.apache.org/tomcat-4.0doc/realm-howto.html.
TIP If you are unsure of the LDAP schema in use, a utility like ldapsearch or an
LDAP browser can help you identify the values to use in your deployment.
18 Start SAS Web Application Server.
19 Make a copy of all the files that you changed in the first part of this procedure. These
files can be overwritten when you apply a maintenance release.
244 Chapter 16 / Enterprise Integration
Support for IBM Tivoli Access Manager
WebSEAL
Configure Web Authentication
Follow the steps in the “Web Authentication” procedure, with the following changes:
n
Specify AMTomcatAuthenticated for the role-name element in the web.xml.orig
file.
n
Do not add users to tomcat-users.xml or configure a Realm in the server.xml file.
Deploy IBM Tivoli Access Manager Apache
Tomcat Adapter
To download and deploy the adapter, follow these steps:
1 You can download the adapter from http://www-304.ibm.com/support/docview.wss?
uid=swg24021393.
Apache Tomcat version 7.x applies to SAS Web Application
Server.
2 Extract the AMTomcatValue.jar file from the archive and deploy it to SAS-config-
dir\Lev1\Web\WebAppServer\SASServer1_1\lib.
If your deployment includes additional server instances, deploy the JAR file to the
lib directory for each server instance.
3 Edit SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml and locate the existing /Engine definition. Add the following Valve
definition:
<Valve
className="com.ibm.tivoli.integration.am.catalina.valves.AMTomcatValve"
fallThrough="true" />
Support for IBM Tivoli Access Manager WebSEAL
245
Note: The fallThrough attribute must be set to true. If you have more than one
server instance, you must make the change to each one.
4 Restart SAS Web Application Server.
Configure the WebSEAL Junction
Create a standard WebSEAL junction that uses the host name and port that SAS Web
Application Server is listening on. This is completed with a command that is similar to
the following:
pdadmin> server task default-webseald-host_name create -t tcp -c iv-user,iv-groups
-b ignore -h saswebserver.example.com -p 80 /junction_name -I
Note: Be sure to use the -I (capital i) argument to ensure unique Set-Cookie name
attributes.
Modify the Junction Mapping Table (JMT) to include the following entries:
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
*/FolderModule/*
*/SASAdmin/*
*/SASAuthorizationServices/*
*/SASBIDashboard/*
*/SASBIDashboardEventGen/*
*/SASBIPortlets/*
*/SASBIWS/*
*/SASContentServer/*
*/SASDeploymentBackup/*
*/SASEnvironmentMgrMidTier/*
*/SASFlexThemes/*
*/SASIdentityServices/*
*/SASJSR168RemotePortlet/*
*/SASLogon/*
*/SASPackageViewer/*
*/SASPermissionManager/*
*/SASPortal/*
*/SASPreferences/*
*/SASPrincipalServices/*
*/SASSharedApps/*
*/SASStoredProcess/*
*/SASTemplateEditor/*
*/SASTheme_default/*
*/SASThemeDesignerForFlex/*
*/sasweb/*
246 Chapter 16 / Enterprise Integration
/junction_name
/junction_name
/junction_name
/junction_name
/junction_name
*/SASWebDoc/*
*/SASWebReportStudio/*
*/SASWIPServices/*
*/SASWorkflowServices/*
*/SASWorkflowWebServices/*
TIP These entries represent most of a SAS Enterprise Business Intelligence
deployment. Look at the SAS-config-dir\Lev1\Web\WebServer\conf
\sas.conf file for the application context roots that are in your deployment.
Note: Do not include /SASWIPClientAccess in the junction. If you protect this web
application, then desktop applications like SAS Management Console cannot
authenticate. Also, do not include /SASWIPSoapServices. If you include /SASBIWS,
make sure that custom applications can perform BASIC authentication.
Load the JMT with a command that is similar to the following:
pdadmin> server task default-webseald-host_name jmt load
See Also
IBM Tivoli Access Manager for e-business WebSEAL Administration Guide
Update the Connection Information for SAS
Web Applications
When users authenticate through WebSEAL, it adds headers to the request to indicate
that the user has already authenticated. When the request gets to SAS Web Application
Server, the valve intercepts the request and determines that the user was
authenticated. The valve sets a principal in the request with the user name that was
authenticated and the role AMTomcatAuthenticated. In order for user’s requests to
be directed back through the WebSEAL server, the external connection information for
each SAS web application must reference the WebSEAL server. See the following
information:
n
Follow the instructions for configuring the External Connection at “Specifying
Connection Properties” on page 75. Make sure that you also specify the Dsas.retry.internal.url=true JVM option that is identified on that page.
Support for CA SiteMinder
n
247
Configure the SAS Content Server connection information. Perform the tasks in
“Manual Configuration Tasks” on page 155.
Support for CA SiteMinder
Overview
SAS 9.4 support for CA SiteMinder requires configuring a Web Agent to communicate
with SAS Web Server and a custom Tomcat valve for SAS Web Application Server.
SAS provides the custom valve. Successful authentication results in a security token
(SMSESSION) being set in the user's web browser cookies. The valve is part of the
Tomcat request pipeline. It receives the security token in the request and communicates
with the policy servers through an API to decode the user credentials from the security
token. This works in conjunction with web authentication to integrate with existing CA
SiteMinder single sign-on environments.
Dependencies
SAS 9.4 integration with CA SiteMinder depends on two software applications from CA:
n
CA SiteMinder Web Agent (any version)
n
CA SiteMinder SDK r12.x
The software applications are not included with SAS software. They can be downloaded
from the CA support page. (Downloading the packages requires a CA support account
and license.)
The custom Tomcat valve has a run-time dependency on the SDK. For Java agents, CA
provides two distinct implementations of the API. Either implementation can be used by
including the API JAR file shown below in the classpath. However, the detailed
248 Chapter 16 / Enterprise Integration
instructions that follow describe how to use the Pure Java API (smagentapi.jar in the
following table).
Table 16.1
API JAR Files and Dependencies
API JAR File
Dependency
Notes
smjavaagentapi.jar
smjavasdk2.jar
This JAR file requires setting the
library path to the SDK and Web
Agent native libraries in the Java
process that runs SAS Web
Application Server. You can share
the SmHost.conf configuration file
with the Web Agent.
smagentapi.jar
cryptoj.jar
This JAR file requires the Java
Unlimited Strength Cryptography
Extension (JCE).
Create two host configurations. Configure one for the Web Agent to use with SAS Web
Server and a separate one for the agent to use with SAS Web Application Server. The
following table shows the sample values that are used in the following sections.
Table 16.2
Sample Values for Agent Configurations
Property Name
Value
Policy server
policyserver.example.com
Admin user name
siteminder
Admin password
Pass
Host configuration and host name
hostname_apache for the web server
hostname_tc for SAS Web Application
Server
Agent name
sasagent
Agent configuration
sasagentconf
Support for CA SiteMinder
249
For information about configuring the agents and the policy servers, see the CA
SiteMinder product documentation.
Configure the Java Unlimited Strength
Cryptography Extension
The CA SiteMinder Pure Java API requires that the Java environment used by SAS
Web Application Server to be updated with the Java Unlimited Strength Cryptography
Extension.
To configure the extension, follow these steps:
1 Download the Unlimited Strength JCE from Oracle. It is available from http://
www.oracle.com/technetwork/java/javase/downloads/jce-7-download-443124.html.
2 Extract the archive. In the jce directory, extract all four files (COPYRIGHT.html,
local_policy.jar, README.txt, US_export_policy.jar) to JAVA_HOME\jre\lib
\security.
Note: The default JRE is located in SASHome
\SASPrivateJavaRuntimeEnvironment\9.4\jre
Configure the Web Agent
Purpose
You can use this information to configure SAS Web Server with a web agent. This can
be necessary if your site does not already have a web server that is configured with a
web agent or the existing web agent is in a different top-level domain (company.com
versus organization.com).
Note: If your site already has a web server that is configured with a web agent, you can
skip to “SAS Web Application Contexts” on page 252.
The Tomcat valve for CA SiteMinder relies on using SAS Web Server as a reverse
proxy. The SAS Web Server can be configured with the Web Agent plug-in module for
Apache HTTP Server. The following sections describe how to perform this
configuration. The Web Agent software must already be installed.
250 Chapter 16 / Enterprise Integration
Note: SiteMinder provides a configuration utility. However, on Windows, it does not
recognize SAS Web Server, so manual configuration is necessary.
Register the SAS Web Server Host
To register the machine with the CA SiteMinder policy server, follow these steps:
1 On Windows 64-bit platforms only, copy the ICE_JNIRegistry.dll from C:\Windows
\System32 to C:\Windows\SysWOW64.
2 Run the smreghost.bat command in the bin directory under the Web Agent
installation to register the host with the policy servers. On UNIX, make sure you
source the ca_wa_env.sh script first.
smreghost -i policyserver.example.com -u siteminder -p Pass
-hc hostname_apache -hn hostname_apache
-o -f ../config/SmHost.conf
If successful, the command generates the SmHost.conf file.
Configure SAS Web Server for the Web Agent
TIP You can try to use the CA SiteMinder Web Agent installer. If it does not detect
SAS Web Server, then follow the manual steps in this section.
To configure the server manually, follow these steps:
1 Create a WebAgent.conf file in the SAS-config-dir\Lev1\Web\WebServer
\conf directory. Make sure that it specifies the path to the SmHost.conf file that was
generated earlier and that the agent name is correct. See the following example:
HostConfigFile="C:\Program Files (x86)\CA\webagent\config\SmHost.conf"
AgentConfigObject="sasagentconf"
EnableWebAgent="YES"
ServerPath="c:\SAS\Config\Lev1\Web\WebServer\conf"
LoadPlugin="C:\Program Files (x86)\CA\webagent\bin\HttpPlugin.dll"
AgentIdFile="C:\SAS\Config\Lev1\Web\WebServer\conf\AgentId.dat"
For UNIX deployments, the library for the LoadPlugin property is named
libHttpPlugin.so instead of HttpPlugin.dll.
2 Edit the SAS-config-dir\Lev1\Web\WebServer\conf\httpd.conf file. Add
lines that are similar to the following at the beginning of the LoadModule directives:
Support for CA SiteMinder
251
LoadModule sm_module "C:/Program Files (x86)/CA/webagent/bin/mod_sm22.dll"
SmInitFile "C:/SAS/Config/Lev1/Web/WebServer/conf/WebAgent.conf"
For UNIX deployments, the name of the library is libmod_sm22.so instead of
mod_sm22.dll.
3 Add lines that are similar to the following in the Aliases section. Change the paths to
match the location of the Web Agent software on your machine.
<IfModule alias_module>
Alias /siteminderagent/nocert/[0-9]+/(.*) "C:/Program Files (x86)/
CA/webagent/$1"
<Directory "C:/Program Files (x86)/CA/webagent/$1">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /siteminderagent/pwcgi/ "C:/Program Files (x86)/CA/webagent/pw/"
<Directory "C:/Program Files (x86)/CA/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /siteminderagent/pw/ "C:/Program Files (x86)/CA/webagent/pw/"
<Directory "C:/Program Files (x86)/CA/webagent/pw/">
Options Indexes MultiViews ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alias /siteminderagent/ "C:/Program Files (x86)/CA/webagent/samples/"
<Directory "C:/Program Files (x86)/CA/webagent/samples/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</IfModule>
4 Restart SAS Web Server.
252 Chapter 16 / Enterprise Integration
Troubleshooting the Web Agent for SAS Web Server
If SAS Web Server does not start or generates errors, use the following information to
assist with troubleshooting.
1 Create a WebAgentTrace.conf file in SAS-config-dir\Lev1\Web\WebServer
\conf. Include the following lines:
components: AgentFramework, HTTPAgent, WebAgent
data: Date, Time, Pid, Tid, TransactionID, Function, Message
2 Use the CA SiteMinder Administrative UI to set the trace properties for the agent
configuration. The following table provides sample values:
Table 16.3
Sample Values for CA SiteMinder Web Agent Troubleshooting
Property Name
Value
TraceAppend
Yes
TaceConfigFile
C:\SAS\Config\Lev1\Web
\WebServer\conf
\WebAgentTrace.conf
TraceFile
Yes
TraceFileName
C:\SAS\Config\Lev1\Web
\WebServer\logs
\webagent.trace
TraceFileSize
100
SAS Web Application Contexts
If you already have a reverse proxy that is configured, you need to modify it to proxy the
SAS web applications. You can use the SAS-config-dir\Lev1\Web\WebServer
\conf\sas.conf file as a starting point.
If you use the file, make a copy and make sure that you perform the following edits:
Support for CA SiteMinder
253
n
Change all host name references from the SAS Web Application Server machine to
the SAS Web Server machine in the ProxyPass and ProxyPassReverse
directives.
n
Change the host name in the BalancerMember and ProxySet directives to use the
SAS Web Server machine.
The following is a portion of the configuration file that shows the changes:
ProxyPass /SASLogon balancer://SAS_Web_Server_Cluster/SASLogon
ProxyPassReverse /SASLogon balancer://SAS_Web_Server_Cluster/SASLogon
...
<Proxy balancer://SAS_Web_Server_Cluster>
BalancerMember http://<SAS_Web_Server:80 route=SAS_Web_Server_SASServer1_1
</Proxy>
--------------------------------This modified sas.conf file must be added
to the httpd.conf file o reverse proxy server.
Here is an example:
--------------------------------<IfModule mod_proxy.c>
Include conf/sas.conf
</IfModule>
Configure SAS Web Application Server
Considerations for Multiple SAS Web Application Server
Instances
If you have more than one instance of SAS Web Application Server, perform the steps
in the following sections for each server instance.
Configure Web Authentication
Follow the steps in the “Web Authentication” procedure, but specify
SiteMinderAuthenticated for the role-name element in the web.xml.orig file.
Register the SAS Web Application Server Host
A host configuration object must be configured on the policy server for each host that
runs SAS Web Application Server. Use a separate host configuration from the Web
254 Chapter 16 / Enterprise Integration
Agent used for SAS Web Server, even if the web server runs on the same host as SAS
Web Application Server.
To register the machine with the CA SiteMinder policy server, follow these steps:
1 Check the smreghost.bat command in the bin directory where the CA SiteMinder
SDK is installed. Check the values for the following variables:
JAVA_HOME
Make sure this identifies an installation of Java. You can use SASHOME
\SASPrivateJavaRuntimeEnvironment\9.4\jre.
SM_REGHOST_CLASSPATH
Make sure this path includes the smagentapi.jar and crypto.jar files. They are
located in the CA SiteMinder SDK java or java64 directories.
2 Run the script to register the host with the policy servers. On UNIX, make sure you
source the ca_wa_env.sh script first.
smreghost.bat -i policyserver.example.com -u siteminder -p Pass
-hc hostname_tc -hn hostname_tc
-o -f "C:\SAS\Config\Lev1\Web\WebAppServer\SASServer1_1\conf\SmHost.conf"
If successful, the command generates the SmHost.conf file.
Configure SAS Web Application Server for the Web Agent
To configure the server, follow these steps:
1 Create a WebAgent.conf file in the SAS-config-dir\Lev1\Web\WebAppServer
\SASServer1_1\conf directory. Make sure that it specifies the path to the
SmHost.conf file that was generated earlier and that the agent config object is
correct. See the following example:
HostConfigFile="C:\SAS\Config\Lev1\Web\WebAppServer\SASServer1_1\conf\SmHost.conf"
AgentConfigObject="sasagentconf"
EnableWebAgent="YES"
2 Copy the sas.svcs.security.vfabrictcsvr.siteminder.jar file from the SASHOME
\SASWebApplicationServer\9.4\templates\sas\lib directory to SASconfig-dir\Lev1\Web\WebAppServer\SASServer1_1\lib.
Support for CA SiteMinder
255
3 Edit SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml and locate the existing /Engine definition. Add the following Valve
definition:
<Valve
className="com.sas.svcs.security.vfabrictcsvr.siteminder.SiteMinderValve"
role="SiteMinderAuthenticated"
agentName="sasagent"
webagentConf="${catalina.base}/conf/WebAgent.conf" />
Table 16.4
SiteMinder Valve Attributes
Attribute
Description
Default Value
Required
role
Specifies the name of the role
to add to authenticated
principals.
SiteMinderAuthentic
ated
No
agentName
Specifies the name of the
agent that was specified in
the SiteMinder Administrator
UI.
None
Yes
webagentConf
Specifies the path to the
WebAgent.conf file.
None
Yes
4 In the same server.xml file, check the values for the proxyName and proxyPort in the
existing /Connector definition. If you are using an external proxy, change the
values so that they match the proxy instead of SAS Web Server.
5 Add the smagentapi.jar and crypto.jar files to the classpath using the following
information, or copy the files to the lib directory for each server instance.
For Windows deployments, edit SASServer1_1\conf\wrapper.conf and make
changes that are similar to the following example:
wrapper.java.classpath.10=C:\Program Files (x86)\CA\sdk\java\smagentapi.jar
wrapper.java.classpath.11=C:\Program Files (x86)\CA\sdk\java\cryptoj.jar
For UNIX deployments, edit SASServer1_1\bin\setenv.sh and make changes that
are similar to the following example:
CLASSPATH="/opt/CA/sdk/java/smagentapi.jar:/opt/CA/sdk/java/crypto.jar"
256 Chapter 16 / Enterprise Integration
6 Restart SAS Web Application Server.
Troubleshooting the Tomcat Valve
If the SAS Web Application Server does not start or generates errors, use the following
information to assist with troubleshooting.
1 Edit SASServer1_1\lib\log4j.xml and add the following lines:
<category name="com.sas.svcs.security.vfabrictcsvr">
<priority value="DEBUG"/>
</category>
2 Restart SAS Web Application Server and monitor the SASServer1_1\logs
\server.log file.
3 If the server is configured correctly to use the value, the log contains messages like
the following example:
yyyy-mm-dd 10:14:57,314 DEBUG (main) [SiteMinderValve] Valve starting...
yyyy-mm-dd 10:14:59,243 DEBUG (main) [SiteMinderValve] AgentAPI getConfig successfull
yyyy-mm-dd 10:14:59,265 DEBUG (main) [SiteMinderValve] AgentAPI successfully
initialized
yyyy-mm-dd 10:14:59,270 DEBUG (main) [SiteMinderValve] AgentAPI doManagement
successful
yyyy-mm-dd 10:14:59,270 DEBUG (main) [SiteMinderValve] Valve initialization complete
10:14:59,354 | INFO | [Catalina] | Server startup in 1422471 ms
Note: The class name is shorted to SiteMinderValue for readability in the example.
4 After a successful logon attempt, the log contains messages like the following
example:
Support for CA SiteMinder
257
yyyy-mm-dd 14:02:31,404 DEBUG (tomcat-http--42) [SiteMinderValve] GET /SASLogon/
login from 192.168.99.37
yyyy-mm-dd 14:02:31,406 DEBUG (tomcat-http--42) [SiteMinderValve] Request has a
SMSESSION token
yyyy-mm-dd 14:02:31,412 DEBUG (tomcat-http--42) [SiteMinderValve] Resource
'/SASLogon/login' is protected by SiteMinder realm hostname.example.com_tcServer
Realm
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve]
200=hostname.example.com_tcserver
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 208=192.168.14.248
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 205=RreaOHVxS3N+1/
Y9vQqRFmWOCfU=
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve]
218=CN=sasdemo,OU=People,DC=EXAMPLE,DC=COM
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 210=sasdemo
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 154=1360867934
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 225=3600
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 155=1360868551
yyyy-mm-dd 14:02:31,418 DEBUG (tomcat-http--42) [SiteMinderValve] 226=7200
yyyy-mm-dd 14:02:31,422 DEBUG (tomcat-http--42) [SiteMinderValve] SiteMinder session
for user sasdemo has been verified
Configure the Policy Server
Configure the Realm
In the CA SiteMinder Administrative UI, configure the realm used by the Web Agent for
SAS Web Server, if you used it, and the Web Agent that is used for SAS Web
Application Server.
If you used an existing reverse proxy instead of SAS Web Server, the SiteMinder
domain, realm, rule, and policy should be configured from the SiteMinder Administrative
UI. Use a resource filter that protects /SASLogon/login only. This is essential to
internal web service calls between SAS web applications so that they are not blocked at
the proxy by the Web Agent.
Configuring a single resource filter also keeps performance as high as possible. If you
want to protect every SAS web application with CA SiteMinder, then you need to create
a separate Realm and filter for each web application that is accessed with a web
browser. (For example, /SASWebReportStudio, /SASAdmin, /SASPortal, and so
on.).
Here are the high-level steps:
258 Chapter 16 / Enterprise Integration
n
Create a domain for the reverse proxy server.
n
Add the user directory to the domain.
n
Create a realm under the domain. Select the agent from the menu. Check that the
resource filter is /SASLogon/login.
n
Create a rule with the resource specified as *. When you view the rule that you
generated, the attribute value for the Effective Resource should appear as
follows:
agent_name/SASLogon/login*
n
Create a policy and add users from the user directory that you defined in the
domain. Add the rule that you defined to the policy.
Repeat the preceding high-level steps for SAS Web Application Server.
If you plan to use CA SiteMinder authentication for SAS BI Web Services, you also
need to create a Realm and filter to protect /SASBIWS.
Special Considerations for Agent Configuration Parameters
The following table identifies some agent configuration parameters that are known to
cause problems in a SAS deployment:
Parameter
Issue
BadUrlChars
This parameter is used by the Web Agent to reject requests that
have certain characters in them. This parameter interferes with
the DAV requests that are used by SAS Content Server. You can
remove the parameter or modify it to allow all the characters that
are used in the DAV requests.
RequiredCookies
This parameter can interfere with clients that use SiteMinder
authentication to SAS web services. Set this parameter to no if
access to web services is affected.
Support for Integrated Windows Authentication
259
Support for Integrated Windows
Authentication
Overview of Integrated Windows
Authentication in the Middle Tier
Integrated Windows Authentication (IWA) is a Microsoft technology that is used in an
environment where users have Windows domain accounts. With IWA, the credentials
(user name and password) are hashed before being sent across the network. The client
browser proves its knowledge of the password through a cryptographic exchange with
the web application server.
The key components of IWA in the middle tier are an Active Directory Controller
machine (Windows 2000 Server or higher), a Kerberos Key Distribution Center (KDC) in
a Domain Controller machine, a machine with a client browser, and SAS Web
Application Server.
When IWA is used in conjunction with Kerberos, IWA enables the delegation of security
credentials. Kerberos is an industry‐standard authentication protocol that is used to
verify user or host identity. The Kerberos protocol uses strong cryptography so that a
client can prove its identity to a server (and vice versa) across an insecure network
connection.
When Active Directory is installed on a Domain Controller running Windows 2000
Server (or higher), and the client browser supports the Kerberos authentication protocol,
Kerberos authentication is used. Use of the Kerberos protocol is determined by the
following requirements:
n
The client must have a direct connection to Active Directory.
n
Both the client and the server must have a trusted connection to a Key Distribution
Center (KDC) and be compatible with Active Directory.
n
Service Principal Names (SPNs) are required for multiple worker processes.
260 Chapter 16 / Enterprise Integration
Dependencies
Review the following list of software requirements and required information:
n
An Active Directory Domain Controller that is running Windows 2000 Server or
higher is needed.
n
The desktops for users must be Microsoft Windows 2000 (or higher) domain
members and have a browser client that supports the SPNEGO authentication
mechanism. Microsoft Internet Explorer Version 7.0 or later qualifies as the client.
n
The clock on the desktop machines, the domain controller, and the machine for SAS
Web Application Server should be synchronized to within five minutes.
n
The machine that is used for SAS Web Application Server must have the service
principal name (SPN) registered with Active Directory. If you need to request this
from your information technology support group, also request the following:
n
o
keytab file
o
the user name that the principal is mapped to
Understand the organization of users and groups in your Active Directory
deployment if you plan to use organizational unit or group information for authorizing
access to the SAS web applications.
Verifying Prerequisites
Verify the Kerberos Service Principal Name
Active Directory provides support for service principal names (SPN). SPNs are a key
component in Kerberos authentication. SPNs are unique identifiers for services running
on servers. Every service that uses Kerberos authentication needs to have an SPN set
for it so that clients can identify the service on the network. An SPN usually matches the
pattern of name@YOUR.REALM. You need to confirm that an SPN for the machine
used with SAS Web Application Server is registered in the Kerberos realm. If an SPN is
not set for a service, clients have no way of locating that service. Without correctly set
SPNs, Kerberos authentication is not possible.
Support for Integrated Windows Authentication
261
To verify that the SPN for the service is registered, follow these steps:
1 Verify that there is a mapping already configured:
setspn -F -Q HTTP/hostname.example.com
Output 16.1
Sample SPN Query
Checking forest DC=EXAMPLE,DC=com
CN=hostname-http,OU=Service Accounts,OU=Servers,DC=EXAMPLE,DC=com
HTTP/hostname.example.com
HTTP/hostname
Existing SPN found!
If an SPN is not found, then contact your information technology support group for
assistance with registering the machine.
2 Verify that the service is linked to a single account:
setspn -L hostname-http
Output 16.2
Sample Account Query
Registered ServicePrincipalNames for CN=hostname-http,OU=Service
Accounts,OU=Servers,DC=EXAMPLE,DC=com:
HTTP/hostname.example.com
HTTP/hostname
The value for hostname-http is identified in the CN from the previous command
output.
Verify the Kerberos Keytab File
A keytab is a file containing pairs of Kerberos principals and encrypted keys. The keys
are derived from the Kerberos password. The keytab file contains the information for
SAS Web Application Server to authenticate to the Key Distribution Center (KDC). You
can get the keytab file from your information technology support group. The file must be
copied to the machine used for SAS Web Application Server. The file must be readable
by the user account running SAS Web Application Server. The file should not be
readable by other accounts.
262 Chapter 16 / Enterprise Integration
To verify the keytab file, follow these steps:
1 (Optional) Move the keytab file to SAS-config-dir\Lev1\Web\WebAppServer
\SASServer1_1\conf directory.
If you do not copy the keytab to the SASServer1_1\conf directory, then make
sure that you substitute the path in the configuration files.
2 The command for verifying a key tab depends on the operating environment.
Windows Specifics:
ktab.exe —l —k FILE:hostname-http.keytab
KVNO
Principal
----------------------------------------------1
HTTP/hostname-http.example.com@example.com
UNIX Specifics:
ktutil
rkt path-to/hostname-http.keytab
list -e
slot KVNO Principal
---- ---- -----------------------------------------------------------1
3
HTTP/hostname-http.example.com@EXAMPLE.COM (arcfour-hmac)
TIP The encryption type or types (arcfour-hmac) is used in the next section for
configuring SAS Web Application Server.
For more information about the ktab.exe or ktutil commands, see the vendor
documentation.
Configuring SAS Web Application Server
The information in this section is modified from http://tomcat.apache.org/tomcat-7.0doc/windows-auth-howto.html.
If the machine already has a Kerberos configuration file, such as either C:\windows
\krb5.ini or /etc/krb5.conf, you can use the existing file. In this case, specify
Support for Integrated Windows Authentication
263
the -Djava.security.krb5.conf= JVM option to specify the path. Substitute the
path in the examples.
To configure SAS Web Application Server, follow these steps:
1 If you do not have an existing configuration file, you can create a SAS-config-dir
\Lev1\Web\WebAppServer\SASServer1_1\conf\krb5.ini file with contents
that are similar to the following example:
[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = FILE:C:\SAS\Config\Lev1\Web\WebAppServer\SASServer1_1\conf\
hostname-http.keytab
default_tkt_enctypes = arcfour-hmac
default_tgs_enctypes = arcfour-hmac
forwardable=true
[realms]
EXAMPLE.COM = {
kdc = adsvr.example.com
}
[domain_realm]
EXAMPLE.COM= EXAMPLE.COM
example.com= EXAMPLE.COM
Note: The encoding types in the example are based on the ktutil command
output from the previous section. If AES256 encryption ciphers are included in the
ktutil output, be aware that they require using the Java Unlimited Strength
Cryptography Extension.
2 Verify that Kerberos authentication succeeds. Use the kinit command that is
provided in the SASHOME\SASPrivateJavaRuntimeEnvironment\9.4\jre
\bin directory.
kinit -k —t c:\path-to\hostname-http.keytab
HTTP/hostname.example.com
Be sure the results are similar to the following:
New ticket is stored in cache file C:\path
3 Edit the SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\jass.conf file. Add the following to the end of the file:
com.sun.security.jgss.krb5.initiate {
264 Chapter 16 / Enterprise Integration
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/hostname.example.com@EXAMPLE.COM"
useKeyTab=true
keyTab="C:/SAS/Config/Lev1/Web/WebAppServer/SASServer1_1/conf/
hostname-http.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/hostname.example.com@EXAMPLE.COM"
useKeyTab=true
keyTab="C:/SAS/Config/Lev1/Web/WebAppServer/SASServer1_1/conf/
hostname-http.keytab"
storeKey=true;
};
4 Edit the SAS-config-dir\Lev1\Web\WebAppServer\SASServer1_1\conf
\server.xml file. Configure a Realm to establish roles for authenticated users.
The following example uses a JNDIRealm to retrieve a user's roles from the Active
Directory LDAP:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://adsvr.example.com:389"
connectionName="CN=oneUser,OU=User Accounts,DC=example,DC=com"
connectionPassword="********"
userBase="OU=User Accounts,DC=example,DC=com"
userSearch="sAMAccountName={0}"
commonRole="ROLE_USER"
/>
Lnow the role name that is returned from Active Directory. The name is either a role
name that is associated with the user such as ROLE_USER.
Note: For deployments that include SAS Mobile BI you need to modify the realm so
that it can also be used for BASIC authentication.
5 Either of the previous realm definitions uses the keytab file to connect to the Active
Directory LDAP. In order for the connection to succeed, SAS Web Application
Server must be started with the following JVM options:
-Djava.security.krb5.realm=EXAMPLE.COM
-Djava.security.krb5.kdc=example.com
-Djava.security.krb5.conf=/path-to/krb5.ini
Support for Integrated Windows Authentication
265
-Djavax.security.auth.useSubjectCredsOnly=false
See Also
“Specifying JVM Options” on page 49
Configure Web Authentication
Follow the steps in the “Web Authentication” on page 237 procedure, but specify
SPNEGO as the method in the web.xml.orig file for SAS Logon Manager. The changes
are similar to the following example:
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/login</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<role-name>ROLE_USER</role-name>
</security-role>
TIP These changes are to the same section of web.xml that is required to implement
web authentication. You can make the changes to the web.xml.orig file as described
in that procedure.
266 Chapter 16 / Enterprise Integration
Configuring the Microsoft Internet Explorer to
Use SPNEGO
Configure Security Settings
To configure the security settings, follow these steps:
1 Select Tools  Internet options  Security.
2 Select Local intranet and then click Sites.
3 Configure the intranet domain settings:
a Verify that the check boxes for the following items are selected:
n
Include all local (Intranet) sites not listed in other zones
n
Include all sites that bypass the proxy server
b Click Advanced and add your domain name to the Websites list to ensure that
Internet Explorer recognizes any site with your domain name as the intranet.
4 Configure intranet authentication:
a In the Security level for this zone area, click Custom level.
b Scroll to the User Authentication section, select Automatic Logon only in
Intranet Zone and click OK.
Configure Connection Settings
If your site uses a proxy server, follow these steps:
1 Select Tools  Internet options  Connections.
2 Click LAN settings.
3 Verify that the proxy server address and port number are correct.
4 Click Advanced.
Support for Integrated Windows Authentication
267
5 Verify that the correct domain names are entered in the Exceptions field on the
Proxy Settings dialog box.
Configure Advanced Settings
To use Integrated Windows Authentication, follow these steps:
1 Select Tools  Internet options  Advanced.
2 Scroll to the Security section and verify that Enable Integrated Windows
Authentication is selected.
3 Click OK and restart the browser to activate the changes.
Confirm the Changes
Once the steps in the previous sections are complete, you should be able to specify the
URL for a SAS web application and use the application without a prompt for credentials.
Do not start and use a browser from the machine that is used for SAS Web Application
Server. This does not work. You must use another computer to confirm that the steps
were performed correctly.
268 Chapter 16 / Enterprise Integration
269
17
Middle-Tier Security
Using the SAS Anonymous Web User with SAS
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Configuring SAS Web Server Manually for HTTPS . . . . . . . . . . . . . . . 270
Use of TLS with SAS Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Reconfiguring to Use HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Configuring SAS Web Application Server to Use HTTPS . . . . . . . 273
FIPS 140-2 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
About FIPS Compliance in the SAS Middle-Tier . . . . . . . . . . . . . . . . . . 275
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Configuring SAS Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Configuring SAS Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . 276
Using the SAS Anonymous Web User
with SAS Authentication
The SAS Anonymous Web User (webanon) is an optional account that can be used to
grant web clients anonymous access to certain SAS Web Infrastructure Platform
applications (SAS BI Web Services and SAS Stored Process Web Application). This
anonymous account is configured with the SAS Deployment Wizard and is applicable
only when SAS authentication is being used. If web authentication is used, the web
application server processes authentication requests, and this anonymous account has
no effect.
270 Chapter 17 / Middle-Tier Security
If the webanon account is configured, it is used when a web service is configured for
SAS authentication, and credentials are not supplied. If the webanon account is not
configured, there are no credentials for authentication, and the request fails.
In a default deployment, this anonymous account is configured as an internal user
account. To determine whether to enable the webanon user account, administrators
must decide whether they want to require clients to provide credentials for all requests.
When clients provide credentials to an incoming request, these credentials are always
used for authentication whether the account has been enabled or not.
The webanon user is defined in the following locations:
n
in metadata. In default deployments, the SAS Anonymous Web Service User is an
internal user account that is known only to SAS and that is authenticated internally in
metadata. When internal authentication is used, it is not necessary for this user to
have a local or network account.
n
in the operating system of the metadata server machine, only if you selected the
External authentication option for this user during a custom installation.
Configuring SAS Web Server Manually
for HTTPS
Use of TLS with SAS Web Applications
Transport Layer Security is a successor protocol to SSL. It is used to provide network
security and privacy. In addition to providing encryption services, TLS uses trusted
certificates to perform client and server authentication, and it uses message
authentication codes to ensure data integrity.
This documentation assumes that you have a basic understanding of TLS and SSL and
that you know how to obtain and use trusted certificates.
The best practice is to acquire CA-signed certificates before you install and configure
SAS software. You can specify the location of the certificate to the SAS Deployment
Configuring SAS Web Server Manually for HTTPS
271
Wizard and it can configure SAS Web Server to use it. For more information, see “Using
HTTPS” on page 39.
Reconfiguring to Use HTTPS
If you did not choose to configure with secure sockets during the initial installation and
configuration with the SAS Deployment Wizard, you can SAS Web Server to use
HTTPS. Follow these steps:
1 Create a private key, generate a certificate signing request, and get a signed
certificate. For more information, see Encryption in SAS.
2 Stop SAS Web Server and all SAS Web Application Server instances.
3 If the directory SAS-config-dir\Lev1\Web\WebServer\ssl does not exist,
then create it.
Put the certificate file and key file in this directory.
4 Edit SAS-config-dir\Lev1\Web\WebServer\conf\httpd.conf and remove
the # from the following line:
#Include C:/SAS/Config/Lev1/Web/WebServer/conf/extra/httpd-ssl.conf
5 Edit SAS-config-dir\Lev1\Web\WebServer\conf\extra\httpd-ssl.conf
and make the following changes:
a Locate the following line and make sure it refers to the HTTPS port that you want
the server to listen on:
Listen 443 https
Note: Be aware that on UNIX platforms, you must start SAS Web Server as root
in order to listen on ports below 1024.
b Locate the following line and make sure it refers to the same HTTPS port:
<VirtualHost _default_:443>
c Locate the following lines for the certificate file and key file and enter the correct
filenames:
272 Chapter 17 / Middle-Tier Security
SSLCertificateFile "ssl/myhost.crt"
SSLCertificateKeyFile "ssl/myhost.key"
6 For each instance of SAS Web Application Server, edit SAS-config-dir
\Lev1\Web\WebAppServer\SASServern_m\conf\server.xml and make the
following changes to the Connector element:
n
Change the proxyPort attribute to specify the HTTPS listen port.
n
Change the scheme to https.
7 Use SAS Management Console to update the protocol and port number for each
web application. For more information, see “Specifying Connection Properties” on
page 75.
8 Use SAS Management Console to update the SAS Content Server connection
information. For more information, see “Manual Configuration Tasks” on page 155.
9 If the certificate that you use is not signed by a certificate authority (CA) that would
be located in the JRE default trust store (for example, VeriSign), then add all the CA
certificates in the chain to the SAS Private JRE trust store (the cacerts file). Do this
for all middle tier machines before starting any servers.
You also need to import the certificate chain for server-tier machines to support any
Java clients such as PROC SOAP. Also do this for client tier products.
10 Configure the server tier and client tier.
UNIX Specifics: For the server tier, you can create a PEM file that contains all trust
certificates in the chain and use the file in the SSLCALISTLOC= SAS system option
or use the SSL_CERT_DIR environment variable. For more information, see SAS
Intelligence Platform: Installation and Configuration Guide.
Windows Specifics: For server and client tiers machines, add any required CA
certificates to the Windows trust store.
11 Start SAS Web Server and then start each SAS Web Application Server instance.
Configuring SAS Web Application Server to Use HTTPS
273
12 For SAS Visual Analytics deployments, perform the following steps with SAS
Management Console to confirm that the SAS LASR Authorization Service URI is
updated:
a Select Environment Management  Server Manager.
b For each SAS LASR Analytic Server, select the server to display the connection
information in the right panel. Right-click the connection and select Properties.
c Select the Options tab. Make sure the Use LASR authorization service check
box is selected and that the URI includes the HTTPS port number. Click OK.
Note: You must perform these steps so that the HTTPS connection information
is saved in metadata.
See Also
n
Encryption in SAS
n
SAS Intelligence Platform: Installation and Configuration Guide
Configuring SAS Web Application Server
to Use HTTPS
In deployments that use SAS Web Server, the SAS Deployment Wizard does not
include an option to configure SAS Web Application Server for HTTPS. The
communication path between SAS Web Server and SAS Web Application Server uses
HTTP.
In order to use HTTPS between SAS Web Server and SAS Web Application Server,
follow these steps:
1 Create a private key, generate a certificate signing request, and get a signed
certificate. For more information, see Encryption in SAS.
274 Chapter 17 / Middle-Tier Security
2 If the certificate that you use is not signed by a certificate authority (CA) that would
be located in the JRE default trust store (for example, VeriSign), then add all the CA
certificates in the chain to a JKS format keystore.
openssl pkcs12 -export -chain -inkey myhost.key -in myhost.cer -name "web app server
keytool -importkeystore -deststorepass storepass -destkeypass keypass -destkeystore
For information about the openssl and keytool commands, see the vendor
documentation.
3 Edit SAS-config-dir\Lev1\Web\WebAppServer\SASServern_m\conf
\server.xml. Duplicate the existing Connector element and add the following
attributes:
n
secure="true"
n
SSLEnabled="true"
n
keystoreFile="/path-to-/myhost.jks"
n
keystorePass="storepass"
Note: Once you have completed your changes and confirmed that SAS Web
Application Server is using HTTPS, edit the server.xml file again and remove the
Connector element that was left using HTTP.
4 For SAS WebApplication Server, set the following JVM options:
-Dsas.scs.port=8443 -Dsas.scs.scheme=https -Dsas.auto.publish.port=8443
-Dsas.auto.publish.protocol=https
5 For SAS Web Server, make the following changes:
a Edit SAS-config-dir\Lev1\Web\WebServer\conf\sas.conf and change
the BalancerMember directives to use https as the protocol and the HTTPS
port that SAS Web Application Server is listening on. See the following example:
BalancerMember https://myhost.example.com:8443
route=myhost.example.com_SASServer1_1
b Edit SAS-config-dir\Lev1\Web\WebServer\conf\extra\httpd-
ssl.conf and add the following directives:
FIPS 140-2 Compliance
275
SSLProxyEngine on
SSLProxyVerify require
SSLProxyVerifyDepth 10
SSLProxyCACertificateFile "/path-to/chain.pem"
FIPS 140-2 Compliance
About FIPS Compliance in the SAS MiddleTier
The following sections describe how to configure components in the middle tier to use
cryptographic modules that are FIPS 140-2 compliant. Completing these procedures do
not result in middle tier components that are FIPS-140 compliant, only that the
components are using a FIPS-140 compliant cryptographic module.
More information about the Federal Information Processing Standard 140-2 can be
found at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
Before You Begin
One of the tasks in this section is to configure SAS Web Application Server to use the
following native libraries:
n
APR library
n
JNI wrappers for APR used by Tomcat (tc native)
n
OpenSSL libraries
The binaries for these native libraries that are shipped with SAS 9.4 have a known
problem that prevents them from being used. Contact SAS Technical Support for
assistance with getting the native libraries for your platform.
276 Chapter 17 / Middle-Tier Security
Configuring SAS Web Server
SAS Web Server must be configured to use HTTPS. This is performed most easily
during initial configuration with the SAS Deployment Wizard. Selecting the option to use
HTTPS with SAS Web Server causes the server to use OpenSSL though the mod_ssl
module for Apache HTTP Server. OpenSSL has a FIPS module that is certified as FIPS
140-2 compliant. As a result, the server can initialize the OpenSSL software in FIPS
mode with a change to the server’s configuration file.
Edit the SAS-config-dir\Levn\Web\WebServer\conf\extra\httpdssl.conf file and add the following statement before the VirtualHost directive:
SSLFIPS on
Restart the server and verify from the log\server.log file that the server
successfully initialized in FIPS mode. In this mode, the server only establishes
connections with clients that use the TLSv1 protocol and strong encryption.
Configuring SAS Web Application Server
The Apache Portable Runtime (APR) is a native web server library that can be used by
SAS Web Application Server to leverage native library support for OpenSSL. Using a
native library typically results in better performance than approaches that use Java.
SAS Web Application Server can be started in FIPS mode by setting FIPSMode="on"
on the APR listener. This option is new to Tomcat 7 (that is part of SAS Web Application
Server). Three native components are required:
To modify an existing SAS Web Application Server instance to use the APR, follow
these steps:
1 Perform the steps in “Configuring SAS Web Application Server to Use HTTPS”.
However, look at Connector settings in Step 4b. You can make the changes all at
once.
2 Locate the libraries that you received from SAS Technical Support.
3 Edit the script files for SAS Web Application Server to use the libraries.
FIPS 140-2 Compliance
277
For Windows deployments, edit SASServer1_1\conf\wrapper.conf to include
lines similar to the following example:
Example Code 17.1
Changes to wrapper.conf for Windows
# Java Library Path
wrapper.java.library.path.1=%CATALINA_BASE%\bin\winx86_64
wrapper.java.library.path.2=c:\path_to\lib
For UNIX deployments, edit SASServer1_1/bin/tcruntime-ctl.sh to include
lines similar to the following example:
Example Code 17.2
Changes to tcruntime-ctl.sh for UNIX
LD_LIBRARY_PATH="/path_to/lib"
export LD_LIBRARY_PATH
4 Edit SASServer1_1\conf\server.xml and make the following changes:
a Add the following listener to the Server element:
<Listener
SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"
FIPSMode="on" />
b Change the Connector to use Http11AprProtocol and specify the other SSL
parameters. Here is an example:
<Connector acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" maxKeepAliveRequests="15"
port="8443" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11AprProtocol"
proxyName="hostname.example.com" proxyPort="8443"
redirectPort="8443" useBodyEncodingForURI="true"
SSLCertificateFile="${catalina.base}/ssl/hostname.crt"
SSLCertificateKeyFile="${catalina.base}/ssl/hostname.key"
SSLCertificateChainFile="${catalina.base}/ssl/chain.pem"
SSLPassword="******"
SSLEnabled="true"
/>
TIP For information about the connector parameters, see http://
tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/
Native.
278 Chapter 17 / Middle-Tier Security
5 Restart SAS Web Application Server and monitor the logs\server.log file. Log
entries similar to the following indicate successful configuration:
[org.apache.catalina.core.AprLifecycleListener]
sendfile [true], accept filters [false], random
[org.apache.catalina.core.AprLifecycleListener]
[org.apache.catalina.core.AprLifecycleListener]
[org.apache.catalina.core.AprLifecycleListener]
initialized (OpenSSL 1.0.1c-fips 10 May 2012)
APR capabilities: IPv6 [true],
[true].
Initializing FIPS mode...
Successfully entered FIPS mode
OpenSSL successfully
The previous steps are based on the procedure that is provided by VMware at http://
pubs.vmware.com/vfabric51/index.jsp?topic=/com.vmware.vfabric.tc-server.2.7/admin/
manual-fips-140-mode.html.
The steps are modified to include directory paths that are
used in a SAS deployment and to configure SAS Web Application Server to use
HTTPS.
279
Part 5
Tools and Utilities
Chapter 18
Using the SAS Web Infrastructure Platform Utilities . . . . . . . . 281
Chapter 19
SAS Configuration Scripting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
280
281
18
Using the SAS Web Infrastructure
Platform Utilities
Using the DAVTree Utility to Manage WebDAV Content . . . . . . . . 282
About the DAVTree Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Start the Utility and Connect to a WebDAV Location . . . . . . . . . . . . 282
Add Resources to WebDAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Edit a Text File in WebDAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Copy or Move a File in WebDAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Advanced Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Using the Package Cleanup Utility to Remove Packages . . . . . . . 286
Overview of the Package Cleanup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Deleting Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
List Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Utility Logging and Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Using JMX Tools to Manage SAS Resources . . . . . . . . . . . . . . . . . . . . . 293
About JMX and MBeans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Accessing the SAS MBeans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Understanding How to Use the SAS MBeans . . . . . . . . . . . . . . . . . . . . . 295
282 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
Using the DAVTree Utility to Manage
WebDAV Content
About the DAVTree Utility
The DAVTree utility is a stand-alone Java application that provides a tree view of
WebDAV resources. The utility enables you to manipulate content by copying files to a
WebDAV repository or by creating text files such as forms and templates.
The utility presents information in a tree view. When you select a resource item in the
tree on the left side of the window, the WebDAV properties for the resource are
displayed on the right side.
Here is an example DAVTree interface:
In the interface, you see only the content that you are authorized to see.
Start the Utility and Connect to a WebDAV
Location
To use this utility, follow these steps:
1 Run the following command on Windows:
SAS-config-dir\Levn\Web\Utilities\DAVTree.bat
Using the DAVTree Utility to Manage WebDAV Content
283
On UNIX and z/OS:
SAS-config-dir/Levn/Web/Utilities/DAVTree.sh.
The DAVTree utility appears.
2 Select File  Open.
The DAV Location dialog box appears.
3 In the URL field, enter the URL for a WebDAV location. For example, enter the
following URL and substitute the server name and port number of your WebDAV
server (SAS Content Server):
http://server:port/SASContentServer/repository/default/
4 If the WebDAV server was set up with a proxy, enter the proxy host and port.
5 Click OK. You are prompted for credentials.
6 Enter your administrator credentials in the logon dialog box.
You can later connect to a different WebDAV location by repeating steps 2 through 6
and providing the URL for the new location.
Add Resources to WebDAV
Copy Files to DAVTree
You can copy both text files and binary files to the repository. To copy a file, click and
drag the file from the file system to a folder in the DAVTree interface. This action can be
performed on Windows systems and on UNIX systems that provide a graphical
interface.
Note: To delete a resource, select the resource in the tree and then select Edit 
Delete. You are prompted to confirm the deletion.
Create a Text File
1 Position the cursor on the folder where you want to create the text file.
2 Select Edit  Add.
284 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
You are prompted to confirm the action, and then an Add dialog box appears. Here
is an example dialog box with data entered in the fields.
3 Select Resource.
4 In the field to the left of the Resource radio button, enter the name of the text file. If
a file already exists with the name that you provide, the file is overwritten.
The example shows a file with the name myFile.txt.
5 In the field below the Resource radio button, enter the text that you want the file to
contain. Press ENTER to start a new line.
The example shows a file that contains the text string “Contents of myFile.txt.”
6 If you want to define a custom WebDAV property, click New property. Two text
fields appear in the gray properties panel. In the left field, add the property name. In
the right field, enter the property value.
7 Click OK.
Create a Folder
1 Position the cursor on the folder where you want to create the new folder.
2 Select Edit  Add.
You are prompted to confirm the action, and then an Add dialog box appears.
3 Select Collection.
Using the DAVTree Utility to Manage WebDAV Content
285
4 In the field to the left of the Collection radio button, enter the name that you want to
give the folder.
5 Click OK.
Edit a Text File in WebDAV
To edit a text file, follow these steps:
1 Right-click the text file and select Edit. The Edit File dialog box appears and displays
the contents of the file.
2 Make your changes to the text.
3 Click Save.
Copy or Move a File in WebDAV
To move a file from one location to another in WebDAV, in DAVTree click and drag the
file to the desired location.
To copy rather than move a file, press and hold the CTRL key while dragging.
Advanced Features
The DAVTree utility can be used as a diagnostic tool. The utility provides features such
as locking files, versioning files, and modifying WebDAV properties.
CAUTION! These are advanced WebDAV functions. These functions are not
described in this document. These functions should be performed only by someone who
has WebDAV expertise.
286 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
Using the Package Cleanup Utility to
Remove Packages
Overview of the Package Cleanup Utility
The Package Cleanup utility provides a simple, command-line interface for deleting or
listing packages that have been published in a publication channel or in a WebDAV
repository.
The SAS Publishing Framework supports channels that you define in the SAS Metadata
Repository. Once channels have been defined, users can publish packages to the
channels. For example, portal users can subscribe to available channels, view the
persisted packages, and publish content (files, links, stored processes, and information
maps).
Channels can be defined with archive or WebDAV persistent stores. When a package is
published to a channel that is defined with a persistent store, the package is first
persisted to that location and then it is published to all subscribers of that channel. All
persisted packages have an expiration date. However, expired packages are not
deleted automatically; you must explicitly delete them. You can use the Package
Cleanup utility for this purpose.
Here is the path to the utility:
On Windows:
SAS-config-dir\Levn\Web\Utilities\PackageCleanup.bat
On UNIX and z/OS:
SAS-config-dir/Levn/Web/Utilities/PackageCleanup.sh.
The Package Cleanup utility enables you to review basic information about a persisted
package and delete both the metadata and the actual package. Deletions are based on
the expiration date of the package. This utility supports the deletion of packages from
Using the Package Cleanup Utility to Remove Packages
287
either type of persistent store (archive or WebDAV). The utility also supports the
deletion of packages that are not defined in any channel.
The Package Cleanup utility also supports a listing feature. The utility can be used to
display information about packages that are published in a particular channel, packages
that are not defined in any channel, and packages that exist on a WebDAV server.
Note: You must have the appropriate permissions on a channel in order to delete
packages from the channel. See the “Authorization Model” chapter in the SAS
Intelligence Platform: Security Administration Guide.
Deleting Packages
Delete Packages
To delete packages, follow these steps:
1 Run the command and specify the deletion date. You can also provide one of the
following arguments:
n
a channel name in order to delete packages that are defined in a specific channel
n
a WebDAV URL in order to delete packages that are in the specified WebDAV
location
Note: If you do not provide the channel or WebDAV URL, then the utility deletes
only orphaned packages that are not defined for any channel or WebDAV URL.
After you run the command, the utility displays a list of packages that match your
deletion criteria and prompts you to confirm deletion.
2 Respond to the prompt to confirm deletion of the packages or to exit without deleting
any packages.
Minimal Syntax for Deleting Packages
Here is the minimal syntax for deleting packages that are defined in a channel:
PackageCleanup
-d expiration-date
-ch channel-name
288 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
-metauser Metadata-Server-username
-metapass Metadata-Server-password
-domain authentication-domain
The utility deletes all packages in the specified channel that expire before the date and
time specified.
Here is the minimal syntax for deleting packages that are not defined in a channel:
PackageCleanup
-d expiration-date
-metauser Metadata-Server-username
-metapass Metadata-Server-password
-domain authentication-domain
Here is the minimal syntax for deleting packages that are defined in a WebDAV server:
PackageCleanup
-url WebDAV-URL
-username WebDAV-Server-username
-password WebDAV-Server-password
-d expiration-date
-metauser Metadata-Server-username
-metapass Metadata-Server-password
-domain authentication-domain
Delete Specific Packages
To delete a specific package, specify -package package-name (or -pkg packagename) along with the date. The PACKAGE option enables you to specify the name of
the package to delete.
Change Prompt Behavior
When you run the utility command, the utility displays a list of packages that match your
deletion criteria and prompts you to confirm deletion of all the packages that are listed.
You can override this default behavior in order to be prompted for each package
individually.
To override the default, specify -prompteach. You are then prompted to delete each
package that meets the deletion criteria. After each package is processed, the utility
displays a final list of all packages that were selected. You can then choose to delete all
of those packages or exit without deleting any packages.
Using the Package Cleanup Utility to Remove Packages
289
You can also turn off prompting altogether by specifying -noprompt. When you run the
utility in batch mode, you must use the -noprompt option (unless shell programming is
provided to respond to the prompts). It is best to run with prompts when you are
learning how to use the application. With prompts, you can review proper date
formatting and correct package deletion candidates with the option to exit without
deleting any packages.
List Packages
To obtain a list of packages, run the command and specify the -list option. You can
also provide one of the following arguments:
n
a channel name in order to list packages that are defined in a specific channel
n
a WebDAV URL in order to list packages that are in the specified WebDAV location
Note: If you do not provide the channel or WebDAV URL, then the utility displays only
orphaned packages that are not defined for any channel or WebDAV URL.
The LIST option lists the following information for each package:
n
package name
n
date and time that the package was created
n
date and time that the package expires
Here is the minimal syntax for listing packages that are defined in a channel:
PackageCleanup
-list
-ch channel-name
-metauser Metadata-Server-username
-metapass Metadata-Server-password
-domain authentication-domain
Here is the minimal syntax for listing packages that are not defined in a channel:
PackageCleanup
-list
-metauser Metadata-Server-username
-metapass Metadata-Server-password
-domain authentication-domain
290 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
Here is the minimal syntax for listing packages that are defined in a WebDAV server:
PackageCleanup
-list
-url WebDAV-URL
-username WebDAV-Server-username
-password WebDAV-Server-password
-metauser Metadata-Server-username
-metapass Metadata-Server-password
-domain authentication-domain
Arguments
The utility supports the following arguments:
-channel | -chchannel-name
Specify the channel that contains the packages that you want to list or delete.
-deletionDate | -d"expiration-date"
Specify the expiration date and time for the packages to be deleted. You can also
use this argument when you list packages. The utility deletes or lists packages that
have an expiration date before the date and time that you specify. The date and time
should be enclosed in quotation marks. Format: “yyyy.MM.dd at hh:mm”
-list
The utility displays a list of packages (no deletion occurs).
-metauser Metadata-Server-username
Specify the user name to use when connecting to the SAS Metadata Server.
-metapass Metadata-Server-password
Specify the password to use when connecting to the SAS Metadata Server.
-domain authentication-domain
Specify the authentication domain for the SAS Metadata Server.
-package | -pkg package-name
Specify the name of a package to delete.
-url WebDAV-URL
Specify the WebDAV URL to use to locate packages to delete.
Using the Package Cleanup Utility to Remove Packages
291
-username WebDAV-username
Specify the user name to use to connect to a WebDAV server.
-password WebDAV-password
Specify the password to use to connect to a WebDAV server.
-logfile | -log file-name
Specify the name of a log file to create. If the log file already exists, then the log lines
are appended to the current file.
-noprompt
The utility does not prompt for confirmation of deletions.
-deletenodate
The utility lists or deletes packages that do not have an expiration date.
-prompteach
The utility prompts you to confirm each package individually for deletion.
-debug
The utility produces debugging information for all the SAS Foundation Services.
-help
The utility displays this help information. (You must also provide the -metauser, metapass, and -domain arguments in order to get the Help information.)
Utility Logging and Debugging
By default, application activity is sent to the Java standard out console. If you want to
log to a file, use the LOGFILE option. For example, you might specify -logfile c:
\mylog.file. If the log file already exists, then the log lines are appended to the
current file.
Use the DEBUG option to enable debugging-level information. This option provides
debugging information for all of the Foundation Services as well as the utility. This
option should be used only when you experience problems with the utility and want to
determine the cause.
292 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
Examples
This example deletes all packages published to the Sales channel that have an
expiration date before October 7, 2009, at 12:59 p.m.
PackageCleanup -ch Sales -d "2009.10.07 at 12:59 PM" -metauser userX
-metapass passX -domain DefaultAuth
This example uses the PROMPTEACH option, which enables you to confirm deletion of
each package individually.
PackageCleanup -ch Sales -d "2009.10.07 at 12:59 PM" -metauser userX
-metapass passX -domain DefaultAuth -prompteach
This example deletes a specific package that is defined in the Sales channel. The PKG
option is specified to identify the exact package to delete. In this example, the package
is named s109513698.spk and has an expiration date of October 7, 2009, at 12:59 p.m.
PackageCleanup -ch Sales -d "2009.10.07 at 12:59 PM" -pkg s109513698.spk
-metauser userX -metapass passX -domain DefaultAuth
This example deletes all packages that are not defined in any channel. Only packages
that are not defined in a channel and have an expiration date before October 7, 2009, at
10:00 a.m. are deleted.
PackageCleanup -d "2009.10.07 at 10:00 AM" -metauser userX -metapass passX
-domain DefaultAuth
This example deletes packages that have been published to a WebDAV server. The
utility connects to the server using the specified URL and deletes all packages
published to that location that have an expiration before October 7, 2009, at 05:00 a.m.
PackageCleanup -d "2009.10.07 at 05:00 AM" -url http://myhost.com/Sales/Packages
-username davUserX -password davPasswordX -metauser userX -metapass passX
-domain DefaultAuth
This example deletes a specific package from a WebDAV server. The PKG option is
used to provide the name of the package to delete. The utility connects to the server
using the specified URL and deletes the package named s3964865240.
PackageCleanup -d "2009.10.07 at 12:59 PM" -metauser userX -metapass passX
-domain DefaultAuth -url http://myhost.com/Sales/Packages -username davUserX
-password davPasswordX -pkg s3964865240
Using JMX Tools to Manage SAS Resources
293
This example lists packages (does not delete) by using the LIST option. Note that the -d
argument is not required when listing packages. This example lists all packages that are
published in the Sales channel.
PackageCleanup -list -ch Sales -metauser userX -metapass passX
-domain DefaultAuth
This example uses the LIST option to list all packages with an expiration date before
October 7, 2009, at 12:00 p.m.
PackageCleanup -ch Sales -d "2009.10.07 at 12:00 PM" -metauser userX
-metapass passX -domain DefaultAuth -prompteach -list
Using JMX Tools to Manage SAS
Resources
About JMX and MBeans
SAS servers implement common administrative interfaces. These interfaces enable you
to perform basic administrative functions such as stopping, pausing, and resuming
servers. You can also use the interfaces to monitor the health of the servers via realtime and historical metrics. Java Management Extensions (JMX) is a Java technology
that supplies tools for managing and monitoring applications, system objects, devices
(such as printers), and service-oriented networks. JMX managed beans, known as
MBeans, have been implemented to provide a standard way of managing SAS
resources.
Accessing the SAS MBeans
About Accessing the SAS MBeans
You can use any of the standard JMX monitoring tools to access the MBeans that
manage SAS resources. To use these tools, you must do the following:
1 Enable access to the MBeans from the web application server. See “Configure the
Web Application Server to Enable JMX Client Access” on page 294.
294 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
2 Use an application to connect and access the SAS MBeans. Follow the specific
instructions for your JMX tool. For information about using the JConsole tool, see
“Manage SAS Resources Using JConsole” on page 294.
Configure the Web Application Server to Enable JMX Client
Access
You configure the web application server to enable access to the MBeans by setting
specific Java system options.
Specify the following Java Virtual Machine (JVM) argument to access the MBeans
locally:
com.sun.management.jmxremote
Specify the following JVM argument to access the MBeans from a remote system.
Replace portNum with the port number to use for JMX RMI connections:
com.sun.management.jmxremote.port=portNum
Remote monitoring and management requires security to ensure that unauthorized
persons cannot control or monitor your application. It is recommended that you set the
following JVM arguments when MBeans are accessed remotely:
com.sun.management.jmxremote.authenticate=true | false
com.sun.management.jmxremote.ssl=true
| false
For information about these arguments, see the Java documentation.
Manage SAS Resources Using JConsole
JConsole is a JMX tool that is included with the standard Java Development Kit (JDK).
The information provided through JMX technology enables JConsole to provide
information about application performance and functions. You can use JConsole to
interact with the JMX MBeans that are available to manage SAS resources. The
console's simple user interface displays all MBeans in a tree navigator on the left side of
the window. When you select a specific MBean, its attributes, operations, notifications,
and other information are displayed on the right side of the window.
To access information about SAS resources using JConsole, follow these steps:
1 Start JConsole by running the following command:
Using JMX Tools to Manage SAS Resources
295
JDK-HOME\bin\jconsole
2 Connect to the MBean server as follows:
n
If you are accessing the MBeans locally, the Local tab should display every JVM
that is running on the local system that was started with the same user ID as
JConsole. Select the appropriate JVM and click Connect.
n
If you are accessing the MBeans remotely, follow these steps:
1 Select the Remote tab.
2 Enter the host on which the JVM is running, along with the port where the
RMI connector was registered.
3 You might need to specify credentials if authentication to the MBean server is
required.
4 Click Connect to connect to the MBean server.
3 Select the MBeans tab. This tab displays a tree view of all the registered MBeans.
4 Expand the com.sas.services domain to see all MBeans registered in this domain.
5 Select the ServerFactory MBean.
6 In the right pane, select the Operations tab. You can now see the operations
(listing, stopping, pausing, and so on) so that you can list the defined SAS servers
and manage your running SAS servers. When you invoke one of the manage-server
operations, a new MBean is registered. The MBean is connected to the specified,
running SAS server. The newly registered MBean can then be used to manage and
monitor that particular SAS server.
Understanding How to Use the SAS MBeans
About the SAS MBeans
There are three primary MBeans provided by the SAS Web Infrastructure Platform for
managing and monitoring SAS resources:
296 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
n
ServerFactory MBean
n
Spawner MBean
n
Server MBean
The following sections describe these MBeans.
ServerFactory MBean
The ServerFactory MBean is the starting point for managing SAS servers. This MBean
is registered during deployment of the SAS Web Infrastructure Platform and is named
as follows:
com.sas.services:type=ServerFactory
During initialization, the ServerFactory MBean connects to the SAS Metadata Server.
This enables the MBean to list all SAS servers defined in the metadata. The MBean can
then be used to register additional MBeans that enable the running servers to be
managed and monitored directly. The ServerFactory MBean does not have any
attributes, but supports three operations:
listDefinedServers()
provides a list of SAS IOM servers that are defined in the Metadata Server.
Information that is returned for each defined server includes the server name, host,
port, and server type. To begin actively managing a server, specify the name of the
server on the manageServerByName operation.
manageServerByName(String ServerName, String Host)
registers a Server MBean that enables you to actively manage the specified IOM
server. The newly registered MBean connects to the running IOM server and can
then be used to manage and monitor that server. The host name can be left blank if
the IOM server is defined to run on only one host. If defined to run on multiple hosts,
the proper host name should be provided.
The manageServerByName() operation does not work on a server that is spawned
by the SAS Object Spawner.
manageServer(String Host, Integer Port, String Username, String Password)
registers a Server MBean that enables you to actively manage the specified IOM
server. The IOM server that is managed is identified by the host and port provided
Using JMX Tools to Manage SAS Resources
297
on the manageServer operation. The newly registered MBean can be used to
manage and monitor that specific IOM server. This operation is useful when the IOM
server is not defined in the Metadata Server.
Spawner MBean
The Spawner MBean is created whenever an IOM Spawner is identified in one of the
ServerFactory MBean's manageServer operations. The name of the registered MBean
uses the form:
com.sas.services:type=Server,serverType=Spawner,
name="Server Name",
host=Host Name,port=Port
The Spawner MBean enables you to manage and monitor the running Object Spawner.
You can perform SAS Spawner operations such as stop, pause, and resume.
Here are some commonly used Spawner MBean attributes:
n
the number of times the counters have been reset
n
the amount of time the server has been idle
n
the number of currently connected clients
n
the server start time
n
the number of currently abandoned servers
n
the number of currently launched servers
n
the total number of servers that have been launched
n
the number of currently failed servers
n
the process identifier of the server process
n
the amount of time spent in server method calls
n
the number of method calls that the server has processed
298 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
Server MBean
The Server MBean is created whenever a SAS server is identified in one of the
ServerFactory MBean's manageServer operations or when a server is managed via the
Spawner MBean's manageLaunchedServer(s) operation.
A server MBean can represent a SAS Workspace Server, a SAS Stored Process
Server, a SAS Framework Data Server, a SAS Metadata Server, or a SAS OLAP
Server. The name of the registered SAS Server MBean uses one of these three forms:
com.sas.services:type=Server, serverType=Workspace, logicalServer=
"LogicalServerName", name="Server Name",
instanceid="Unique instance ID"
com.sas.services:type=Server, serverType=StoredProcess, logicalServer=
"LogicalServerName", name="Server Name",
instanceid="Unique instance ID"
com.sas.services:type=Server, serverType=Table, logicalServer=
"LogicalServerName", name="Server Name",
host=Host Name,
port=Port Number
The Server MBean enables you to manage and monitor the running SAS server. You
can perform server operations such as stop, pause, and resume.
Here are some commonly used Server MBean attributes:
n
the number of times the counters have been reset
n
the amount of time the server has been idle
n
the number of currently connected clients
n
the server start time
n
the last time the counters were reset
n
the execution state of the server
n
the amount of time spent in server method calls
n
the number of method calls that the server has processed
n
the number of clients that the server has serviced
n
the process identifier of the server process
Using JMX Tools to Manage SAS Resources
n
the identity under which the server process is executing
299
300 Chapter 18 / Using the SAS Web Infrastructure Platform Utilities
301
19
SAS Configuration Scripting Tools
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Special Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Scripting Tool for SAS Web Application Server . . . . . . . . . . . . . . . . . . 302
Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Rebuilding the SAS Web Application Server Configuration . . . . . 305
Executing a Batch Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Executing a Single Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Properties Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Overview
The configuration scripting tools enable administrators to perform the following tasks:
n
Create the SAS Web Application Server configuration rather than following the
manual instructions. If the automatic configuration option was disabled in the SAS
Deployment Wizard, then the SAS Deployment Wizard provides an Instructions.html
file that describes the configuration steps to perform the web application server
configuration. You can use the configuration scripting tools to perform these steps
automatically instead of manually.
n
Rebuild the web application server configuration. The results are identical to
what is performed by the SAS Deployment Wizard and SAS Deployment Manager.
302 Chapter 19 / SAS Configuration Scripting Tools
The SAS configuration scripting tools also enable an administrator to perform the
following additional tasks:
n
Use a command line to perform a configuration operation on a single resource. For
example, creating a server instance can be performed with a single command.
n
Edit property files that are associated with specific resources and then update the
resources with the configuration scripting tools.
n
Use existing property files as templates for creating additional resources. For
example, an administrator can copy the definitions for SASServer1 to a new file and
then use it as a template to create a new server instance.
Special Considerations
n
If you are rebuilding or reconfiguring a web application server, then make sure that
all the web application servers are stopped.
n
If you encounter errors while configuring a web application server, review the
properties that are being used by the tool and rerun the tool. The tool can be run
many times without deleting the configuration between runs, so long as the server is
not running. If the server starts in between runs, there can be locks on files that
prevent subsequent runs from succeeding.
Scripting Tool for SAS Web Application
Server
Command Syntax
Start, Stop, and Restart Syntax
The syntax for the start, stop, and restart operations is as follows:
appsrvconfig.cmd start
appsrvconfig.cmd stop
Scripting Tool for SAS Web Application Server
303
appsrvconfig.cmd restart
Note: For UNIX operating environments, the command is appsrvconfig.sh.
The requested operation is performed on all the SAS Web Application Server instances
on the same machine.
The script is located in the SAS-config-dir\Levn\Web\Scripts\AppServer
directory.
Command Syntax
The positional command syntax is as follows:
<operation> <resourceType> <targetName> <scope ...>
The following example shows the commands for starting a server and deploying an
application:
start server SASServer1 global global
deploy application SASWIPAdmin9.4 server SASServer1
TIP You can deploy all applications with deploy application all server
SASServer1.
Resource Types
The following table provides a list of resource types and identifies the operations and
scope that apply to the resource type.
Table 19.1
Resource Types, Operations, and Scopes
Resource Type
Operations
Scopes
server
configure, unconfigure, start,
stop, restart
global
mailsession
configure, unconfigure
server
datasource
configure, unconfigure
server
loginmodule
configure, unconfigure
server
304 Chapter 19 / SAS Configuration Scripting Tools
Resource Type
Operations
Scopes
application
deploy, undeploy
server
jmserver
configure, unconfigure, start,
stop, restart
global
jms
configure, unconfigure
server
balancer
configure, unconfigure
global
member
configure, unconfigure
global
proxypass
configure, unconfigure
global
proxyserver
configure, unconfigure, start,
stop, restart
global
cache_locator
configure, unconfigure, start,
stop, restart
global
cache_server
configure, unconfigure, start,
stop, restart
global
Managing Credentials
Credentials are required to configure resources such as data sources and login
modules. You can store credentials in the SAS-config-dir\Lev1\Web\Scripts
\AppServer\props\credentials.properties file.
By default, the SAS Deployment Wizard does not persist credentials in the specified file.
When you run the configuration scripting tool, you are prompted for all credentials that
are required to configure the resources—but are not specified in the
credentials.properties file.
If the option to cache credentials was enabled when the SAS Deployment Wizard was
run, then the credentials are stored in the credentials.properties file. In this case, the
configuration scripting tool reads the credentials from the file rather than prompting for
them. When the Update passwords feature of the SAS Deployment Manager is used,
the passwords for the login modules and mail sessions are updated in the credentials
file. Passwords for data source definitions are not updated.
Scripting Tool for SAS Web Application Server
305
Log File
Details for the command execution are stored in the SAS-config-dir\Lev1\Web
\Scripts\AppServer\logs\config.log file. The SAS Deployment Wizard
invokes the configuration scripting tool, so this file already contains messages for an
installed system. This file can be useful for troubleshooting middle-tier configuration
tasks performed with the SAS Deployment Wizard and the SAS Deployment Manager.
Rebuilding the SAS Web Application Server
Configuration
You can rebuild the server configuration by running the configuration scripting tool. The
tool can re-create the entire configuration and restore it to the originally configured
state. The tool configures the resources according to the settings in the props
\appserver.properties file.
Executing a Batch Script
You can supply a file that contains a series of commands for the configuration scripting
tool to execute. You can supply a file with different commands to configure different
resources. The following example shows the syntax for using the configuration scripting
tool with a commands file that is named cmds.txt:
appsrvconfig.cmd cmds.txt
The following example shows the commands for undeploying and redeploying the SAS
Web Application Themes:
undeploy application SASThemes9.4 server SASServer1
deploy application SASThemes9.4 server SASServer1
If you are creating a resource that requires credentials, such as a data source,
remember to create property keys in the credentials.properties file.
Executing a Single Command
You can execute a single command on a single resource from a command line. The
following example shows how to undeploy SAS Web Application Themes:
appsrvconfig.cmd undeploy application SASThemes9.4 server SASServer1
306 Chapter 19 / SAS Configuration Scripting Tools
Properties Reference
Global Properties
A properties file is used by the configuration scripting tool to configure the SAS Web
Application Server. This properties file is found in SAS-config-dir\Lev1\Web
\Scripts\AppServer\props\appserver.properties. Each of the global
properties are described in the following list:
global.1.activeMQInstallDir
identifies the path to the JMS Broker software.
global.1.autoConfigure
is a Boolean value. If set to false, then manual configuration is requested and the
SAS Deployment Wizard creates a sample domain and configures servers in off-line
mode only. All configuration steps that are run outside of SAS Deployment Wizard
and SAS Deployment Manager are automated regardless of this setting.
global.1.autoDeploy
is a Boolean value. If set to false, then the SAS Deployment Wizard does not
deploy the SAS web applications. This property is not used by the configuration
scripting tool. This property is used by SAS Deployment Wizard to generate
documentation.
global.1.configLevWebDir
identifies the path to SAS-config-dir\Levn\Web.
global.1.configLevWebStagingDir
identifies the path to SAS-config-dir\Levn\Web\Staging.
global.1.containerType
identifies SAS Web Application Server. The supported value is vfabrictcsvr.
global.1.deployAgentPickList
identifies the path to the picklist for the deployment agent client. The picklist
specifies the versions of libraries to load.
global.1.gemFireInstallDir
identifies the path to the Cache Locator software.
Scripting Tool for SAS Web Application Server
307
global.1.isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
global.1.isScsPrimary
is a Boolean value. If set to true, then the SAS Content Server that is deployed on
this machine is the primary instance.
global.1.jmsSecurity
is a Boolean value. This property is not used by the configuration scripting tool. This
property is used by SAS Deployment Wizard to generate documentation.
global.1.jreHome
identifies the path to SAS-home\SASPrivateRuntimeEnvironment\9.4\jre.
global.1.osType
identifies the operating system for the SAS middle-tier machines. Valid values are
win, unx, or zos.
global.1.runasService
identifies whether the SAS Web Application Server is managed as a Windows
service.
global.1.scriptingDir
identifies the path to SAS-config-dir\Levn\Web\Scripts.
global.1.scriptingServerDirName
identifies the directory name that the configuration scripting tool uses. For SAS Web
Application Server, this value is AppServer.
global.1.tcServerInstallDir
identifies the path to SAS-home\SASWebApplicationServer\9.4.
global.1.tcServerInstanceDir
identifies the path to SAS-config-dir\Levn\Web\WebAppServer.
global.1.tcServerName
identifies the product name for the server. The default value is SAS Web
Application Server.
308 Chapter 19 / SAS Configuration Scripting Tools
global.1.tcServerVendor
identifies the vendor that supplied the web application server software. The default
value is SAS.
global.1.tcServerVersion
identifies the SAS Web Application Server version. The default value is 9.4.
global.1.vjrDirectory
identifies the path to SAS-home\SASVersionedJarRepository\eclipse.
global.1.webServerCommonDir
identifies the path to SAS-config-dir\Levn\Web\Common\WebServer.
global.1.webServerHost
identifies the host name for the SAS Web Server.
global.1.webServerHttpPort
identifies the network port number that the SAS Web Server uses for HTTP.
global.1.webServerHttpsPort
identifies the network port number that the SAS Web Server uses for HTTPS.
global.1.webServerInstanceDir
identifies the path to SAS-config-dir\Levn\Web\WebServer.
global.1.webServerIsConfigured
is a Boolean value. Indicates whether the SAS Deployment Wizard was requested to
configure the SAS Web Server.
global.1.webServerOsType
identifies the operating system for the SAS middle-tier machines. Valid values are
win or unx.
global.1.webServerProtocol
identifies the protocol that is used by the SAS Web Server. Valid values are http or
https.
global.1.webServerRemoteInstanceDir
identifies the path to SAS-config-dir\Levn\Web\WebServer. This property is
used when SAS Web Server is deployed on a different operating system than SAS
Web Application Server.
Scripting Tool for SAS Web Application Server
309
global.1.windowsServiceNamePrefix
identifies the service name prefix when the SAS Web Application Server is managed
as a Windows service. A sample value is SAS [Config-Lev1].
Credential Properties
All properties that are related to credentials are stored in the credentials.properties file.
The tool prompts you for these properties. This properties file does not need to be
edited directly. These values are cleared from the file after the tool completes if the
global property webappsrvScriptingCacheCredentials is set to false. When
stored, these values are stored in SAS base-64 encoding, not clear-text. If you chose to
store passwords in this file, then they are updated when you use the Update passwords
feature of the SAS Deployment Manager.
datasource.create_resource_passwd
is the data source user password.
datasource.create_resource_userid
is the data source user name.
domain.createloginmodule_SASTrust_passwd
is the SAS Trusted User password.
domain.createloginmodule_SASTrust_userid
is the SAS Trusted User. This identity is used to configure the JAAS login module.
mailsession.create_SASMailSession_passwd
is the mail session user password.
mailsession.create_SASMailSession_userid
is the mail session user ID. This credential is used only if the mail session property
mailsrvRequiresAuthentication is set to true.
Resource Properties
Each property file governs the configuration of a specific resource. The next section lists
and describes a group of properties that are common to many resources. The
subsequent sections identify properties that are specific to each resource type.
310 Chapter 19 / SAS Configuration Scripting Tools
Properties Common to Many Resources
The following properties are common to a number of resource types.
deleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
deletedTargets
is a comma-separated list of target servers that contain this resource that are
marked for deletion. A Delete operation removes these targets and removes the
resource if no targets remain.
targets
is a comma-separated list of servers that this resource instance is targeted to.
thisOperation
is a field that is used internally by SAS Deployment Wizard and SAS Deployment
Manager to manage resource files. It is not used by the configuration scripting tool.
thisTarget
is a field that is used internally by SAS Deployment Wizard and SAS Deployment
Manager to manage resource files. It is not used by the configuration scripting tool.
Application Properties
These resources represent applications deployed in SAS Web Server. Each application
is associated with a balancer. The properties are named in the following pattern
application.n.property.
archive
identifies the path to the EAR or WAR file for the application.
balancerName
identifies load balancer name that the application belongs to.
classLoaderMode
is a Boolean value. This property is not used by SAS Web Application Server.
classLoaderPolicy
is a Boolean value. This property is not used by SAS Web Application Server.
Scripting Tool for SAS Web Application Server
311
deployEJB
is a Boolean value. This property is not used by SAS Web Application Server.
deployWS
is a Boolean value. This property is not used by SAS Web Application Server.
explode
is a Boolean value. When false, it indicates that the archive file for the application
is copied and then deployed. When true, the application is extracted from the
archive and the application is deployed from the files.
isClustered
is a Boolean value. When false, the application is not deployed to additional
cluster members when they are created. When true, the application deployed to
each additional cluster member that has the same balancerName value when the
cluster member is created.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted
loadOrder
This property is not used by SAS Web Application Server.
name
identifies the name of the application, as it is used by other SAS software
applications (for example, SASWebReportStudio4.4).
serverName
identifies the server that the application is deployed to.
webapps
identifies the WAR file and context root mapping for each web application in the
archive.
Balancer Properties
These resources represent load balancers that are deployed in SAS Web Server. The
properties are named in the following pattern balancer.n.property.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
312 Chapter 19 / SAS Configuration Scripting Tools
name
identifies the name of the balancer. This value is referenced in the application
properties.
sessionid
identifies the session identifier name. The name is used as a cookie or request
parameter for sticky sessions to ensure that subsequent requests by a user are
directed to a single instance of SAS Web Application Server.
Cache Locator Properties
These resources represent the Cache Locator locator processes. A locator process is
used as an alternative to multicast messaging. The properties are named in the
following pattern cache_locator.n.property.
force
is a Boolean value. When set to true, the configuration scripting tools configure the
locator.
host
identifies the host name for the cache locator.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
locators
identifies the list of cache locators that this locator can communicate with.
name
identifies the name for this cache locator.
port
identifies the network port number that the cache locator uses for communication.
Cache Server Properties
These resources represent the Cache Locator processes. A locator process is used as
an alternative to multicast messaging. The properties are named in the following pattern
cache_server.n.property.
Scripting Tool for SAS Web Application Server
313
directory
identifies the path to the Cache Locator software.
force
is a Boolean value. When set to true, the configuration scripting tools configure the
server.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
Data Source Properties
Data source properties are used to configure JDBC data sources. The properties are
named in the following pattern datasource.n.property.
classpath
identifies the JAR files required for the JDBC driver.
driver
identifies the fully qualified JDBC driver class name.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
jndiName
identifies the data source JNDI name. This name is configured in application
configuration files and should not be changed without corresponding changes to the
applications that use this data source.
name
identifies the data source name. This name must be unique.
password
identifies the password that is used to connect to the database server.
serverName
identifies the SAS Web Application Server that the data source is associated with.
url
identifies the JDBC URL for communication with the database server.
314 Chapter 19 / SAS Configuration Scripting Tools
username
identifies the user ID that is used to connect to the database server.
validationQuery
identifies the test query that the SAS Deployment Wizard uses to check that the data
source is configured correctly.
JMS Resource Properties
JMS resource properties are used to configure JMS queues, topics, and connection
factories. The properties are named in the following pattern jms.n.property.
agedTimeout
This property is not used with SAS Web Application Server.
autoCreate
is a Boolean value. the name of the JMS system module to target this resource to.
connectionFactoryType
identifies whether this JMS resource is a connection factory for topics or queues.
connectionTimeout
identifies the number of seconds before connections to the JMS resource are closed
due to inactivity.
deliveryMode
This property is not used with SAS Web Application Server.
host
identifies the host name.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
jndiName
is the global JNDI name used to look up the destination within the JNDI namespace.
This name is configured in application configuration files and should not be changed
without corresponding changes to the applications that use this JMS resource.
moduleName
This property is not used with SAS Web Application Server.
Scripting Tool for SAS Web Application Server
315
name
is the name of this JMS resource.
port
identifies the network port number for connection factory JMS resources. For other
JMS resources, the value is zero.
purgePolicy
This property is not used with SAS Web Application Server.
readAhead
This property is not used with SAS Web Application Server.
reapTime
This property is not used with SAS Web Application Server.
schemaName
This property is not used with SAS Web Application Server.
scope
This property is not used with SAS Web Application Server.
serverName
identifies the SAS Web Application Server name that the JMS resource is
associated with.
sIBusDestType
This property is not used with SAS Web Application Server.
type
is the type of JMS resource to be configured. Supported values are
ConnectionFactory, Queue, and Topic.
unusedTimeout
This property is not used with SAS Web Application Server.
xAEnabled
This property is not used with SAS Web Application Server.
316 Chapter 19 / SAS Configuration Scripting Tools
JMS Server Properties
JMS server resource properties are used to configure Java Message Services servers.
The properties are named in the following pattern jmsserver.n.property.
host
identifies the host name.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
name
is the name of this JMS server.
port
identifies the network port number for the server.
Login Module Properties
JAAS login module properties are used to configure login modules. The properties are
named in the pattern loginmodule.n.property.
className
identifies the Java class that is used for the login module.
flag
identifies whether authentication must succeed with the module (required) or one
of the following: requisite, sufficient, optional.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
options
identifies the name and value pair mappings for options to use with the login module.
policyName
identifies the login policy for the login module.
serverName
identifies the SAS Web Application Server name that the login module is associated
with.
Scripting Tool for SAS Web Application Server
317
trustedUserPassword
identifies the password for the trusted user. The password is encoded and stored in
the credentials.properties file, if caching credentials was enabled when the SAS
Deployment Wizard was run.
trustedUsername
identifies the user ID for the account that is used to communicate with the SAS
Metadata Server.
Mail Session Properties
Mail session properties are used to configure mail sessions. The properties are named
in the pattern mailsession.n.property.
host
identifies the host name of the simple mail transfer protocol server.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
jndiName
is the global JNDI name used to look up the mail session within the JNDI
namespace. This name is configured in application configuration files and should not
be changed without corresponding changes to the applications that use this
resource.
name
identifies the name of the mail session resource.
password
identifies the password for the user ID. This property is used when the mail server
requires authentication.
port
identifies the network port number for the mail server.
serverName
identifies the SAS Web Application Server name that the mail session is associated
with.
318 Chapter 19 / SAS Configuration Scripting Tools
username
identifies the user ID for logging on to the mail server. This property is used when
the mail server requires authentication.
Member Properties
Member properties are used to configure SAS Web Server. The member properties are
used together with balancer properties to identify the SAS Web Application Server
instances and the applications. The properties are named in the following pattern
member.n.property.
host
identifies the host name of the SAS Web Application Server instance.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
name
identifies the name of the SAS Web Application Server instance.
port
identifies the network port number for the SAS Web Application Server instance.
protocol
is one of http or https.
route
is a Boolean value. If set to true, then a routing directive is added to the SAS Web
Server configuration file for this member.
target
identifies the balancer that this member is associated with.
Proxy Properties
The proxy properties are used to configure SAS Web Server as a reverse proxy for the
applications that are deployed to SAS Web Application Server instances. The properties
are named in the following pattern proxypass.n.property.
balancerName
identifies the balancer that is associated with the application.
Scripting Tool for SAS Web Application Server
319
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
name
identifies the application context root to proxy.
pass
is a Boolean value. If set to true, then SAS Web Server is configured to proxy the
application.
Server Properties
Server properties are used to configure SAS Web Application Server instances. The
properties are named in the following pattern server.n.property.
cacheLocatorPort
identifies the network port number for the Cache Locator.
cacheLocators
identifies the instances of the Cache Locator.
host
identifies the host name for the SAS Web Application Server.
httpPort
identifies the network port number that this server uses for HTTP connections.
httpsPort
identifies the network port number that this server uses for HTTPS connections.
isDeleted
is a Boolean value. If set to true, then this resource has been marked as deleted.
jmxPort
identifies the network port number that the server uses for Java Management
Extensions communication.
jvmOptions
is a list of JVM options for this server.
320 Chapter 19 / SAS Configuration Scripting Tools
multiplier
identifies the number of vertical cluster members to configure identically to this
server.
name
identifies the name for this SAS Web Application Server.
serverId
identifies that the resource type is a server.
name
identifies the name of the SAS Web Application Server.
sessionCookieName
identifies the value for the cookie that is associated with connections to this server.
Sticky sessions and cookies are used to ensure that all connections for a user are
routed to the same server instance.
shutdownPort
This property is not used with SAS Web Application Server.
321
Part 6
Appendices
Appendix 1
Configuring the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . 323
Appendix 2
Administering Multicast Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
322
323
Appendix 1
Configuring the SAS Environment File
About the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Configuring the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Customizing the SAS Environment File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Element Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
About the SAS Environment File
A SAS environment file defines the available set of SAS environments for SAS client
applications, and is generated during the configuration of the SAS Web Infrastructure
Platform. The SAS Logon Manager includes a servlet that provides default information
for the initial deployment. The sas-environment.xml file is automatically deployed on
SAS Web Server at http://hostname.example.com/sas/sasenvironment.xml.
Your site might have requirements that application clients interact with separate
development, test, and production environments. Or, you might elect to have separate
SAS deployments to support distinct business units. In either scenario, when multiple
environments are required, you can customize and deploy the sasenvironment.xml file as needed.
Make sure that the file is available to SAS desktop clients. In environments that protect
URLs with third-party products like IBM Tivoli Access Manager WebSEAL or CA
SiteMinder, do not protect the URL to the file. The SAS desktop clients that use the fill
are unable to respond to a prompt for credentials. In these environments, you can
324 Appendix 1 / Configuring the SAS Environment File
deploy the file from a different HTTP server. Update the SAS desktop clients with the
new location if you change it.
Configuring the SAS Environment File
Customizing the SAS Environment File
The sas-environment.xml is located in the SAS-config-dir\Lev1\Web\WebServer
\htdocs\sas directory.
Here is a sample sas-environment.xml file that is configured for two environments:
<?xml version="1.0" encoding="UTF-8">
<environments xmlns="http://www.sas.com/xml/schema/sas-environments-9.4"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.sas.com/xml/schema/sas-environments-9.4
http://www.sas.com/xml/schema/sas-environments-9.4/sas-environments-9.4.xsd"
version="2.0">
<environment name="Red" default="false">
<desc>test server Red for SAS Financial Management Studio</desc>
<service-registry>http://red.example.com:80/SASWIPClientAccess/
remote/ServiceRegistry</service-registry>
<service-registry interface-type="soap">http://red.example.com:
80/SASWIPSoapServices/services/ServiceRegistry</service-registry>
<service-registry interface-type="rest">http://red.example.com:
80/SASWIPClientAccess/rest</service-registry>
</environment>
<environment name="Blue" default="true">
<desc>test server Blue for SAS Financial Management Studio</desc>
<service-registry>http://blue.example.com:80/SASWIPClientAccess/
remote/ServiceRegistry</service-registry>
<service-registry interface-type="soap">http://blue.example.com:
80/SASWIPSoapServices/services/ServiceRegistry</service-registry>
<service-registry interface-type="rest">http://blue.example.com:
80/SASWIPClientAccess/rest</service-registry>
</environment>
</environment>
The service registry that is specified in the file enables desktop client applications to
determine the location of required services on the middle tier. It also enables the
applications to obtain a list of services available in the environment. Note that this sas-
Configuring the SAS Environment File
325
environment.xml file is used by SAS Web Server, and the configuration in the file refers
to the host name and port number of SAS Web Server.
If SSL is configured at your site, specify the https protocol and the SSL port number for
the service registry.
If your site has multilingual users, you can configure the sas-environment.xml file to
include localized descriptions. In the next example, the Blue environment is specified in
German:
<environment name="Blue">
<desc>test2 Blue</desc>
<desc xml:lang="de">Blau</desc>
<service-registry>http://blue.example.com:80/SASWIPClientAccess
/remote/ServiceRegistry</service-registry>
<service-registry interface-type="soap">http://blue.example.com:
80/SASWIPSoapServices/services/ServiceRegistry</service-registry>
<service-registry interface-type="rest">http://blue.example.com:
80/SASWIPClientAccess/rest</service-registry>
</environment>
When the customized sas-environment.xml file is available for multiple environments,
see to the documentation for your SAS application or solution for instructions about how
to enable the availability of these environments for the users. If you change the location
of the sas-environment.xml file, be aware that SAS desktop applications such as SAS
Enterprise Miner need to be updated with the new location. The SAS desktop
applications that integrate with the middle tier use the -Denv.definition.location
JVM option in INI files to identify the location of the sas-environment.xml file. Refer the
documentation for the SAS desktop applications that you use. The SASHome/
sassw.config file is also used to identify the location of the sas-environments.xml file.
Update the SASENVIRONMENTSURL= value in the sassw.config file.
Element Description
The following list identifies and describes the elements that can be used in the sasenvironment.xml file:
environment
has a name attribute that cannot contain space characters. This attribute is used
internally by SAS software to identify each of the environments that are available in
326 Appendix 1 / Configuring the SAS Environment File
the deployment. This element has an attribute that is named default. This attribute is
used to identify a default environment for client applications. If this attribute is set to
true for more than one environment element, then the last environment in the file
with the attribute set to true is set as the default environment. It is not necessary to
set the attribute to false for all other environments.
desc
used in the client applications to provide a menu of environment choices. As shown
in the previous example, this field can provide a localized message when the
xml:lang attribute is set.
service-registry
contains the URL to the service registry for the environment. Use the protocol, host
name, and port number of SAS Web Server. By default, SAS Web Server is
configured to provide access to SAS Web Infrastructure Platform.
327
Appendix 2
Administering Multicast Options
Overview of Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
How Much Multicast Network Traffic is Generated? . . . . . . . . . . . . . 329
Multicast Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configuring Multicast Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Applications That Use Multicast Communication . . . . . . . . . . . . . . . . . 330
Multicast Options Configuration Files for SAS
Remote Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Multicast Options Configuration Files for SAS
Web Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Multicast Options Configuration Files for SAS BI
Report Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Key Multicast Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring a Multicast Authentication Token . . . . . . . . . . . . . . . . . . . . 333
Understanding the Multicast Authentication Token . . . . . . . . . . . . . . . 333
Reconfiguring to Use a Multicast Authentication Token . . . . . . . . . 334
Configuring the JGroups Bind Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Understanding JGroups the Bind Address . . . . . . . . . . . . . . . . . . . . . . . . 335
Setting the Bind Address for SAS Remote Services . . . . . . . . . . . . . 336
Setting the Bind Address for SAS Web Application Server . . . . . 337
Setting the Bind Address for the Report Output
Generation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
328 Appendix 2 / Administering Multicast Options
Overview of Multicasting
Multicast communication is used to communicate among SAS middle-tier applications in
a single SAS deployment (the set of applications connected to the same SAS Metadata
Server). When installation is performed with the SAS Deployment Wizard, the wizard
generates a default multicast address that is based on IP address of the SAS Metadata
Server. The combination of multicast address and multicast UDP port number must be
different for each SAS deployment and also different from any other multicast
applications at your site.
The multicast communication includes all the information that is needed to bootstrap the
SAS middle-tier applications. Because this information includes the SAS environment
credentials (such as the sasadm account name and its password), time to live (TTL)
and encryption options are provided to secure the multicast communication.
Multicast options are specified as JVM options. Multicast options provide the ability to
tune and change the behavior of the multicast communication that occurs within the
SAS deployment. The multicast address and UDP port number must match the values
in the SAS Web Application Server start-up script and the environment.properties file
located in the SAS-config-dir\Lev1\Web\Applications\RemoteServices
directory.
Administering multicast options typically involves the following:
n
setting options such as the multicast address
n
configuring security with a multicast authentication token
n
configuring the bind address that is used for multicast communication
Multicast Security
329
How Much Multicast Network Traffic is
Generated?
The amount of multicast network traffic that is generated by SAS applications is fairly
small. The greatest amount of traffic is generated during application start up. When SAS
Remote Services starts, the largest packet that it generates is 124 bytes. Once startup
is complete, the typical rate is less than 64 Kb per hour.
When the web application server starts, the largest packet is 256 bytes. Once startup is
complete, the typical rate for an entire SAS Enterprise Business Intelligence Server
deployment (including SAS Remote Services) is less than 128 Kb per hour.
Once the applications are generating multicast traffic, the amount of traffic is steady
regardless of the load on the SAS Web applications.
Multicast Security
A multicast group communications protocol is used to communicate among middle-tier
SAS applications in a single SAS deployment (the set of applications connected to the
same SAS Metadata Server). During installation, the SAS Deployment Wizard supplies
you with a default multicast address and port number that it generates based on the
machine's (metadata server) IP address. The combination of multicast IP address and
multicast UDP port should be different for each SAS deployment and also different from
those used by other multicast applications at your site.
The IP address and multicast UDP port number for the multicast host must match the
values in the SAS Web Application Server start-up script and the
environment.properties file.
The multicast group communication includes all information needed to bootstrap SAS
middle-tier applications. Because this includes sending the SAS environment
credentials (such as the sasadm account name and its password), scoping and
encryption options are provided in the SAS Deployment Wizard. The defaults are most
330 Appendix 2 / Administering Multicast Options
appropriate for deployments in the firewall, isolated data center environment. After
installation, if you choose to modify the scoping or encryption options, you can do so by
specifying the options for the -Dmulticast.security parameter for the web application
server.
For more information, see “Administering Multicast Options” on page 328.
Configuring Multicast Options
Applications That Use Multicast
Communication
Multicast options should be changed in a synchronous manner among the following
applications:
n
SAS Remote Services
n
SAS Web Application Server
n
SAS BI Report Services Report Output Generation tool (if applicable)
Multicast Options Configuration Files for SAS
Remote Services
You can make changes to the multicast options for the JVM that is used by SAS
Remote Services. Edit the appropriate files as needed.
On Windows, in directory SAS-config-dir\Lev1\Web\Applications
\RemoteServices, change the following files:
n
RemoteServices.bat.
n
wrapper.conf.
n
environment.properties
On UNIX and z/OS, edit the RemoteServices.sh and environment.properties files.
Configuring Multicast Options
331
Multicast Options Configuration Files for SAS
Web Application Server
You can make changes to multicast options for SAS Web Application Server. The
options are specified as JVM options. For more information, see “Specifying JVM
Options” on page 49.
Multicast Options Configuration Files for SAS
BI Report Services
If the SAS BI Report Services Report Output Generation tool is used, then set multicast
options for the Report Output Generation tool as well. The multicast options are set in
the SAS-install-dir\SASBIReportServices\4.4\outputgen.ini file.
Key Multicast Properties
The following table shows some key multicast properties.
Table A2.1 Multicast Properties
Property
Default Value
Unit
Description
multicast.address
239.X.Y.Z
Not applicable
This value is provided by the SAS
Deployment Wizard prompting
mechanism and defaults to
239.X.Y.Z. Values for X, Y, and Z
are the last three octets of the
metadata server's IP address.
In an IPv6 environment, the value
defaults to ff14::/16.
multicast.port
8561
Not applicable
This value is provided by the SAS
Deployment Wizard prompting
mechanism and represents the
port on which UDP
communication occurs.
332 Appendix 2 / Administering Multicast Options
Property
Default Value
multicast_udp_ip_ 1
ttl
Unit
Description
Decimal. Specifies
how far a multicast
packet should be
forwarded from a
sending host.
The IP multicast routing protocol
uses the Time to Live (TTL) field
of IP datagrams to decide how far
a multicast packet should be
forwarded from a sending host.
The default TTL for multicast
datagrams is 1, which results in
multicast packets going only to
other hosts in the local network.
0 is restricted to the
same host.
1 is restricted to the
same subnet.
32 is restricted to
the same site.
64 is restricted to
the same region.
128 is restricted to
the same continent.
255 is unrestricted.
multicast.security
Not applicable
Not applicable
If all SAS applications
participating in the multicast (this
includes Remote Services, any
Java applications in the middle
tier, and BI Report Services) are
on the same machine, the value
should be 0.
If your site has a SAS middle-tier
application that resides on a
different subnet but uses the
same metadata server within the
same SAS deployment, increase
the value for this property.
By default (with no value), both
encryption and authentication are
enabled. Valid values are:
n ENCRYPT: encrypt but do not
require authentication
n NONE: do not encrypt and do
not require authentication
multicast.config.fil
e
Not applicable
URL string (file://,
http://, and so on)
By default, a JGroups
configuration is provided.
However, you can provide your
own configuration by specifying
the URL path to that
configuration. This option enables
you to specify a port range or
change from IP multicast to the
gossip router capabilities of
JGroups.
Configuring a Multicast Authentication Token
333
Configuring a Multicast Authentication
Token
Understanding the Multicast Authentication
Token
By default, the multicast communication is protected with encryption because it conveys
credentials. This default setting for encryption uses a fixed encryption key that is built
into the software and is common to all SAS middle-tier software. This strategy prevents
access to the multicast communication from unauthorized listeners. This setting might
be sufficient for deployments where multicast communication is isolated from the user
community with a firewall, a TTL option, or the deployment is in an isolated data center.
If your middle tier meets any of the following criteria, then you might want to set a
multicast authentication token value:
n
the middle-tier environment is not well isolated from end-user access
n
the security procedures at your site require protection among administrative and
operational staff in various roles
n
you want more protection against eavesdroppers and unauthorized participants
For these deployments, set a multicast authentication token value that is known only to
the appropriate personnel. A multicast authentication token is a password-like string that
is needed to connect to the multicast group and create a site-specific encryption key. In
a multi-tier configuration, the SAS Deployment Wizard displays a prompt for a multicast
authentication token on each tier that has an application participating in multicast
communication. The same authentication token value must be specified for each tier in
the same SAS deployment (each tier associated with the same metadata server).
The multicast authentication token has an interaction with the multicast.security
property. By default, clients that want to join a multicast group to receive messages are
required to provide an authentication token for the join request. (This is true whether a
custom token value is used or if the default token value that is built into the software is
used.) If you determine this process is causing an impact on performance, or that it is
334 Appendix 2 / Administering Multicast Options
unnecessary, you can disable the use of authentication tokens. If you set the
multicast.security property to NONE, encryption and authentication are disabled. If you
set the property to ENCRYPT, then encryption is enabled with no authentication of the
join request.
Reconfiguring to Use a Multicast
Authentication Token
Generate a Token and Set the Token for SAS Remote Services
1 Use SAS and the PWENCODE procedure to generate an encoded password to use
as the multicast authentication token. For example,
{SAS002}DA9A0A5C20629B7F34D2C88A165E5530.
2 Edit the SAS-config-dir\Lev1\Web\Applications\RemoteServices
\RemoteServices.bat file to add a -DMULTICAST_AUTHENTICATION_TOKEN
JVM option.
For Windows, add the option in the runasScripts section:
:runasScripts
set MULTICAST_AUTHENTICATION_TOKEN=token
For UNIX and z/OS, add the option to the RemoteServices.sh file after the
SERVERUSER variable:
SERVERUSER=sas
MULTICAST_AUTHENTICATION_TOKEN="token"
export MULTICAST_AUTHENTICATION_TOKEN
3 For Windows, also add the JVM option to the wrapper.conf file. Add it to the end
of the wrapper.java.additional.11 entry:
wrapper.java.additional.11=-XX:+UseTLAB -XX:+UseConcMarkSweepGC
-XX:+DisableExplicitGC -Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Xss256k
-XX:NewSize=16m -XX:MaxNewSize=16m -XX:PermSize=64m -XX:MaxPermSize=64m
-DMULTICAST_AUTHENTICATION_TOKEN=token
Note: Do not use carriage returns or line feed characters when editing long lines.
4 Restart SAS Remote Services.
Configuring the JGroups Bind Address
335
Setting the Token for the Report Output Generation Tool
1 Edit the SAS-install-dir\SASBIReportServices\4.4\outputgen.ini file.
2 Add a JavaArgs_nn entry that is similar to the following:
JavaArgs_13=-Dsas.app.launch.picklist=picklist;"help\primary.picklist"
JavaArgs_14=-DMULTICAST_AUTHENTICATION_TOKEN=token
Classpath=-cp "<VJRHOME>/eclipse/plugins/sas.launcher.jar"
Configuring the JGroups Bind Address
Understanding JGroups the Bind Address
Some SAS middle-tier applications use JGroups to perform multicast communication
between applications and to perform caching of application properties. The JGroups
software binds to the IP address of first non-loopback network interface that it can
detect on the machine. Many machines have multiple network interfaces (multihomed),
and each network interface has its own IP address. In some cases, the Web application
server selects the value of InetAddress.getLocalHost().getHostName() as the bind
address to use for multicast communication and SAS Remote Services selects a
different IP address to bind to.
Multicast communication does not function correctly if the IP address selected by
JGroups for SAS Remote Services does not match the IP address selected by the web
336 Appendix 2 / Administering Multicast Options
application server. One indication of a mismatch is an error message that appears in the
web application server log file. See the following example:
13:39:35,602 ERROR [ContextLoader] Context initialization failed
org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean
definition with name 'dashboardServices' defined in ServletContext resource
[/WEB-INF/spring-config/services-config.xml]: Could not resolve placeholder
'metadata.user'
ERROR [main]
ERROR [main]
cache.
ERROR [main]
ERROR [main]
ERROR [main]
ERROR [main]
– ****************************************************************
– Required entry, '/sas/properties/environment', not found in the
–
–
–
–
Possible causes include: the RemoteServices VM is not started or
there is a multicast address/port mismatch; using
address=239.168.68.1 and port=8561.
****************************************************************
Set the bind address for SAS Remote Services, the web application server, and the
SAS BI Report Services Report Generation tool if the previous error message is seen.
Setting the Bind Address for SAS Remote
Services
1 For deployments on Windows, edit the SAS-config-dir\Lev1\Web
\Applications\RemoteServices\wrapper.conf file. Add a
wrapper.java.additional.nn entry that is similar to the following:
wrapper.java.additional.12=-Dlog4j.configuration="..."
wrapper.java.additional.13=-Djgroups.bind_addr=ip-address
2 Edit the SAS-config-dir\Lev1\Web\Applications\RemoteServices
\RemoteService.bat file. Add the JVM option in the start2 section:
:start2
start "SAS Remote Services" "%JAVA_JRE_COMMAND%" ^
-classpath "%CLASSPATH%" ^
-Dsas.ext.config="C:\Program Files\SASHome\sas.java.ext.config" ^
-Djgroups.bind_addr=ip-address
3 Restart SAS Remote Services.
Configuring the JGroups Bind Address
337
Setting the Bind Address for SAS Web
Application Server
Specify the
-Djgroups.bind_addr=ip-address
JVM option for the server.
The option is used when the server is restarted.
Setting the Bind Address for the Report
Output Generation Tool
1 Edit the SAS-install-dir\SASBIReportServices\4.4\outputgen.ini file.
2 Add a JavaArgs_nn entry that is similar to the following:
JavaArgs_13=-Dsas.app.launch.picklist=picklist;"help\primary.picklist"
JavaArgs_14=-Djgroups.bind_addr=ip-address
Classpath=-cp "<VJRHOME>/eclipse/plugins/sas.launcher.jar"
338 Appendix 2 / Administering Multicast Options
339
Glossary
alert
an automatic notification of an electronic event that is of interest to the recipient.
authentication
See client authentication
authentication domain
a SAS internal category that pairs logins with the servers for which they are valid.
For example, an Oracle server and the SAS copies of Oracle credentials might all be
classified as belonging to an OracleAuth authentication domain.
authentication provider
a software component that is used for identifying and authenticating users. For
example, an LDAP server or the host operating system can provide authentication.
base path
the location, relative to a WebDAV server's URL, in which packages are published
and files are stored.
client authentication
the process of verifying the identity of a person or process for security purposes.
client-side pooling
a configuration in which the client application maintains a collection of reusable
workspace server processes.
340 Appendix 2 / Administering Multicast Options
content mapping
the correspondence of the SAS metadata folder structure to a content repository
system. SAS metadata folders are generally mapped to a WebDAV such as the SAS
Content Server repository, or to a local file system.
credentials
the user ID and password for an account that exists in some authentication provider.
deploy
to install an instance of operational SAS software and related components. The
deployment process often includes configuration and testing as well.
foundation repository
the metadata repository that is used to specify metadata for global resources that
can be shared by other repositories. For example, a foundation repository is used to
store metadata that defines users and groups on the metadata server.
foundation services
See SAS Foundation Services
hot deployment
the process of upgrading an application or component in a client-server environment
while the server is running. Hot-deployed components are made available
immediately, and do not require the server to be restarted.
identity
See metadata identity
Java Development Kit
See JDK
Java RMI
See remote method invocation
Configuring the JGroups Bind Address
341
Java Virtual Machine
See JVM
JDK
a software development environment that is available from Oracle Corporation. The
JDK includes a Java Runtime Environment (JRE), a compiler, a debugger, and other
tools for developing Java applets and applications. Short form: JDK.
JVM
a program that interprets Java programming code so that the code can be executed
by the operating system on a computer. The JVM can run on either the client or the
server. The JVM is the main software component that makes Java programs
portable across platforms. A JVM is included with JDKs and JREs from Oracle
Corporation, as well as with most Web browsers. Short form: JVM.
metadata identity
a metadata object that represents an individual user or a group of users in a SAS
metadata environment. Each individual and group that accesses secured resources
on a SAS Metadata Server should have a unique metadata identity within that
server.
middle tier
in a SAS business intelligence system, the architectural layer in which Web
applications and related services execute. The middle tier receives user requests,
applies business logic and business rules, interacts with processing servers and
data servers, and returns information to users.
pool
a group of server connections that can be shared and reused by multiple client
applications. A client-side pool consists of one or more puddles.
portal
a Web application that enables users to access Web sites, data, documents,
applications, and other digital content from a single, easily accessible user interface.
342 Appendix 2 / Administering Multicast Options
A portal's personalization features enable each user to configure and organize the
interface to meet individual or role-based needs.
portlet
a Web component that is managed by a Web application and that is aggregated with
other portlets to form a page within the application. Portlets can process requests
from the user and generate dynamic content.
puddle
a group of servers that are started and run using the same login credentials. Each
puddle can also allow a group of clients to access the servers.
remote method invocation
a Java programming feature that provides for remote communication between
programs by enabling an object that is running in one Java Virtual Machine (JVM) to
invoke methods on an object that is running in another JVM, possibly on a different
host. Short form: RMI.
remote service deployment
a service deployment that supports shared access to a set of SAS Foundation
Services that are deployed within a single Java Virtual Machine (JVM), but which are
available to other JVM processes. Applications use the remote service deployment
to deploy and access remote foundation services.
repository
a storage location for data, metadata, or programs.
RMI
See remote method invocation
SAS Application Server
a logical entity that represents the SAS server tier, which in turn comprises servers
that execute code for particular tasks and metadata objects.
Configuring the JGroups Bind Address
343
SAS batch server
a SAS Application Server that is running in batch mode. In the SAS Open Metadata
Architecture, the metadata for a SAS batch server specifies the network address of a
SAS Workspace Server, as well as a SAS start command that will run jobs in batch
mode on the SAS Workspace Server.
SAS BI Web service
a Web service that adheres to the XML for Analysis (XMLA) specification for
executing SAS Stored Processes.
SAS Content Server
a server that stores digital content (such as documents, reports, and images) that is
created and used by SAS client applications. To interact with the server, clients use
WebDAV-based protocols for access, versioning, collaboration, security, and
searching.
SAS Foundation Services
a set of core infrastructure services that programmers can use in developing
distributed applications that are integrated with the SAS platform. These services
provide basic underlying functions that are common to many applications. These
functions include making client connections to SAS application servers, dynamic
service discovery, user authentication, profile management, session context
management, metadata and content repository access, activity logging, event
management, information publishing, and stored process execution.
SAS Framework Data Server
a database server that is the default location for middle-tier data such as alerts,
comments, and workflows, as well as data for the SAS Content Server and SAS
Service Parts Optimization. The server is provided as an alternative to using a thirdparty DBMS. The server cannot be used as a general-purpose data store.
SAS Management Console
a Java application that provides a single user interface for performing SAS
administrative tasks.
344 Appendix 2 / Administering Multicast Options
SAS Metadata Repository
a container for metadata that is managed by the SAS Metadata Server.
SAS Web Infrastructure Platform
a collection of middle-tier services and applications that provide infrastructure and
integration features that are shared by SAS Web applications and other HTTP
clients.
SAS Workspace Server
a SAS IOM server that is launched in order to fulfill client requests for IOM
workspaces.
server-side pooling
a configuration in which a SAS object spawner maintains a collection of reusable
workspace server processes that are available for clients. The usage of servers in
this pool is governed by the authorization rules that are set on the servers in the
SAS metadata.
service
one or more application components that an authorized user or application can call
at any time to provide results that conform to a published specification. For example,
network services transmit data or provide conversion of data in a network, database
services provide for the storage and retrieval of data in a database, and Web
services interact with each other on the World Wide Web.
service configuration
a set of values that can be customized for a particular service in SAS Foundation
Services. By editing a service configuration, you can override the default
configuration for the foundation service.
service deployment
a collection of SAS Foundation Services that specifies the data that is necessary in
order to instantiate the services, as well as dependencies upon other services.
Applications query a metadata source (a SAS Metadata Server or an XML file) to
Configuring the JGroups Bind Address
345
obtain the service deployment configuration in order to deploy and access
foundation services.
session context
a context that serves as a control structure for maintaining state within a bound
session. 'State' includes information about the latest status, condition, or content of a
process or transaction. Session Services, User Services, and Logging Services use
the session context to facilitate resource management and to pass information
among services.
single sign-on
an authentication model that enables users to access a variety of computing
resources without being repeatedly prompted for their user IDs and passwords. For
example, single sign-on can enable a user to access SAS servers that run on
different platforms without interactively providing the user's ID and password for
each platform. Single sign-on can also enable someone who is using one application
to launch other applications based on the authentication that was performed when
the user initially logged on.
SSO
See single sign-on
theme
a collection of specifications (for example, colors, fonts, and font styles) and
graphics that control the appearance of an application.
trust
to accept the authentication or verification that has been performed by another
software component.
trust relationship
a logical association through which one component of an application accepts
verification that has already been performed by another component.
346 Appendix 2 / Administering Multicast Options
trusted user
a privileged service account that can act on behalf of other users on a connection to
the metadata server.
unrestricted identity
a user or group that has all capabilities and permissions in the metadata
environment due to membership in the META: Unrestricted Users Role (or listing in
the adminUsers.txt file with a preceding asterisk).
user context
a set of information about the user who is associated with an active session. The
user context contains information such as the user's identity and profile.
Web-distributed authoring and versioning
a set of extensions to the HTTP protocol that enables users to collaboratively edit
and manage files on remote Web servers. Short form: WebDAV.
WebDAV
See Web-distributed authoring and versioning
WebDAV repository
a collection of files that are stored on a Web server so that authorized users can
access them.
347
Index
A
alert notification
SMS 74
alerts
default delivery type 71
anonymous access 269
anonymous web user 167
audit 89
auditing 80, 82
for web applications 80
relational tables for 80
authenticated users 88
authentication 166, 237
See also Web authentication
SAS Anonymous Web User
with 269
SAS authentication for Java
167
token for multicast security
333
authentication requests 120
authorization
for SAS Content Server 151
B
backups
SAS Content Server 137
bind address 335
branding 174
C
cascading style sheets (CSS)
173
migrating 190
channels
deleting packages 287
clear text 166
client access
enabling for JMX 294
clustering 210
for web application servers
207
colors
changing in themes 182
comment management
predefined role 64
concurrent logon sessions 133
configuration
auditing for web applications
80
cluster of web application
servers 207
custom logoff message 120
348 Index
data sources for middle tier
26
HTTP sessions 215
Job Execution Service 28
multicast options 330
properties for SAS Web
Report Studio 67
reconfiguring Web application
server 110
removing configuration
content 102
sample middle-tier
deployment scenarios 204
SAS environment file 324
scripting tools 301
shared between middle and
server tiers 21
SharedServices DSN 27
SMTP mail server for middle
tier 22
Web application server, to
enable JMX client access
294
web services 161
Configuration Manager 65
deleting web services 161
example 67
properties for SAS Web
Report Studio 67
summary of steps for 66
connection properties 77
internal and external 75
content
See also SAS Content Server
loading manually 140
moving and sharing 137
updating manually 141
custom logoff message 120
custom themes
See themes
custom web applications
See Web applications
D
data sources 26
configuring for middle tier 26
configuring SharedServices
DSN 27
database persistence 137
DAVTree utility 282
adding resources to WebDAV
283
advanced features 285
connecting to a WebDAV
location 282
copying or moving files in
WebDAV 285
editing text files in WebDAV
285
starting 282
debugging
Package Clean-Up utility 291
Web application logging levels
112
Default theme 173
demilitarized zone (DMZ) 210
deployment
Index
manually deploying content to
SAS Content Server 138
redeploying web applications
107
sample middle-tier scenarios
204
SAS Deployment Manager
101
themes 173, 175
themes, in test environment
186
directives 100
adjusting URLs manually 142
DMZ (demilitarized zone) 210
documentation 18
E
e-mail
configuring SMTP server 22
sending to users 88
EAR files
names 105
environment
See middle-tier environment
environment file, configuring
324
exploded directories 104
external connection 75
F
files
adding to SAS Content Server
150
deleting 151
permissions for WebDAV files
147
firewalls 210
folders
creating 149
deleting 151
permissions for WebDAV
folders 147
G
generated web services 160,
167
global properties
setting for SAS applications
69
global single sign-on time-out
interval 129
graphics
changing in themes 183
H
HTTP sessions
affinity 210
auditing 82
configuring 215
time-out interval 124
HTTP transport-layer security
167
349
350 Index
I
images 173
changing in themes 183
migrating 190
internal connection 75
IOM Spawners 297
J
Java
configuring web services for
161
SAS authentication for 167
web authentication for 168
Java Mail Session 22
Java Management Extensions
See JMX (Java Management
Extensions)
Java Runtime Environment
(JRE) 8
JConsole
managing SAS resources 294
JDBC 27
JGroups 335
JMX (Java Management
Extensions) 293
enabling client access 294
JConsole 294
managing SAS resources 293
MBeans 293, 295
JSR 168 18
JVM options 319
default values 214
SAS Content Server 136
SAS Workflow 15
L
loading content manually 140
locked settings 69
log files
changing location of 113, 117
logging 112
changing logging levels 112
for Web applications 111
Package Clean-Up utility 291
service settings for Web
applications 111
logoff message
configuring custom message
120
M
MBeans 293, 295
accessing 293
Server MBean 298
ServerFactory MBean 296
Spawner MBean 297
metadata
deleting themes from 189
middle tier
configuration shared with
server tier 21
configuring data sources for
26
Index
configuring SMTP mail server
for 22
sample deployment scenarios
204
SAS Web Infrastructure
Platform Data Server with
23
middle-tier environment 4
SAS Content Server 15
SAS Web Infrastructure
Platform 9
SAS Workflow 15
starting web applications 18
Web applications 16
migrating themes 189
cascading style sheets (CSS)
190
images 190
SAS Logon Manager 192
theme descriptors 191
theme templates 191
monitoring users 88
moving content 137
multicast options 328
configuring 330
multicast properties 331
multicast security 328, 329
authentication token for 333
N
naming themes 186
351
O
online documentation
See documentation
P
Package Clean-Up utility 286
arguments 290
changing prompt behavior
288
deleting packages 287
deleting specific packages
288
examples 292
listing packages 289
logging and debugging 291
syntax for deleting packages
287
packages
deleting 287
deleting specific packages
288
listing 289
passwords 304, 309
performance
clustering web application
servers 210
network topology 204
SAS Workflow 15
permissions
WebDAV folders and files 147
persistence, database 137
preferences 63
352 Index
product-specific branding 174
production environment
moving themes to 187
prompts
Package Clean-Up utility 288
properties
global properties for SAS
applications 69
SAS Application Infrastructure
69
SAS Web Report Studio 67
proxy configurations
configuring HTTP sessions in
environments with 215
R
rebuilding themes 186
rebuilding Web applications 103
exploded directories 104
rebuilding one or more 104
when to rebuild 103
redeploying web applications
107
SAS Web Application Server
108
relational tables
for auditing 80
reports
See SAS Web Report Studio
resources
adding to WebDAV repository
283
managing SAS resources with
JConsole 294
managing SAS resources with
JMX tools 293
roles
Comments:Administrator 64
Job Execution Services 33
S
SAS Anonymous Web User
SAS authentication with 269
SAS Application Infrastructure
properties 69
SAS applications
global properties for 69
SAS authentication 166
for Java 167
SAS Anonymous Web User
with 269
SAS BI Dashboard 17
SAS BI Portlets 18
SAS BI Web Services for Java
10
SAS Comment Manager
Comments:Administrator role
64
predefined role 64
SAS Content Server 10, 15,
136
adding files to 150
Administration Console 144
authorization for 151
backing up 137
Index
database for storage 137
deploying content manually
138
loading content manually 140
moving and sharing content
137
updating content manually
141
SAS Content Server
Administration Console 144
accessing 144
adding files to SAS Content
Server 150
creating folders 149
deleting folders or files 151
interface 145
permissions for WebDAV
folders and files 147
SAS Default theme 173
SAS Deployment Manager 101
accessing 102
auditing for web applications
80
custom log on, log off, and
time-out messages 120
HTTP session time-out
interval 124
rebuilding Web applications
103
removing configuration
content 102
update passwords 304, 309
SAS environment file 323
configuring sasenvironment.xml 324
SAS Foundation Services 13
SAS Information Delivery Portal
16
SAS Intelligence Platform 4
SAS Logon Manager 10
auditing 82
concurrent logon sessions
133
internal and external
connections 77
SAS Mail Service 22
SAS Management Console
assigning default theme from
188
Configuration Manager 65
SAS Preferences Manager 10,
63
SAS Remote Services
Application
multicast options 330
SAS resources
managing with JConsole 294
managing with JMX tools 293
SAS servers 296, 298
SAS Shared Web Assets 10
SAS Stored Process Web
application 10
SAS Web Administration
viewing audit reports 89
SAS Web Administration
Console 10, 86
accessing 87
monitoring users 88
sending e-mail to users 88
users appearing in 88
353
354 Index
viewing information about web
applications 99
SAS Web Application Server
reconfiguring 302
redeploying web applications
108
SAS Web Application Themes
See themes
SAS Web Infrastructure
Platform 9, 62
Configuration Manager 65
default alert notification
delivery type 71
global properties for SAS
applications 69
SAS Comment Manager 64
SAS Preferences Manager 63
SAS Web Administration
Console 86
SAS Web Infrastructure
Platform Data Server 23
SAS Web Infrastructure
Platform Services 10, 14
SAS Web Report Studio 16
configuring properties 67
sas-environment.xml,
configuring 324
security
HTTP transport-layer 167
logon audit 82
multicast 328, 329
SAS Anonymous Web User
269
SAS Comment Manager 64
TLS (SSL) 270
transport-layer 169
web services 166
WS-Security message-level
167
Server MBean 298
server tier
configuration shared with
middle tier 21
ServerFactory MBean 296
servers
See SAS servers
session affinity 210
session time-out interval 124
SharedServices database 26
SharedServices DSN 26
configuring 27
SMS alert notification 74
SMTP mail server
configuring for middle tier 22
sources
See data sources
Spawner MBean 297
static content
caching 204
system users 88
T
test environment
deploying themes in 186
testing themes 187
text files
editing in WebDAV 285
theme descriptors 173
Index
migrating 191
theme templates 173
changing 185
migrating 191
themes 172
assigning as default theme
188
cascading style sheets (CSS)
173
changing colors 182
changing graphics 183
changing theme templates
185
components 172
creating and deploying 173
creating work area for 177
Default theme 173
defining and deploying 175
deleting from metadata 189
deploying in test environment
186
designing 176
images and 173
migrating 189
migrating cascading style
sheets (CSS) 190
migrating images 190
migrating theme descriptors
191
migrating theme templates
191
moving to production
environment 187
naming 186
rebuilding 186
testing 187
time-out interval 124, 129
TLS (Transport Layer Security)
for web applications 270
transport layer security
web services 166
transport-layer security 169
tuning Web application servers
214
U
UpdateDefaultTheme.sas
program 189
updating content manually 141
URLs
adjusting directive URLs
manually 142
users
appearing in SAS Web
Administration Console 88
authenticated 88
monitoring with SAS Web
Administration Console 88
sending e-mail to 88
system users 88
W
warning message
inactive user sessions 122
web application servers 8
configuring a cluster of 207
355
356 Index
enabling JMX client access
294
tuning 214
Web applications deployed in
single server 204
Web application servers
bind address and JGroups
335
multicast options 331
reconfiguring 110, 301
web application themes
See themes
web applications
auditing for 80
configuring custom logoff
messages 120
custom log on, log off, and
time-out messages 120
deployed across web
application server cluster
207
deployed in single web
application server 204
directives 100
disable concurrent logon
sessions 133
HTTP session time-out
interval 124
redeploying 108
SAS BI Dashboard 17
SAS Documentation for the
Web 18
SAS Information Delivery
Portal 16
SAS Web Report Studio 16
settings 99
themes 172
TLS (SSL) 270
viewing information about 99
Web applications 16
changing location of log files
113, 117
changing logging levels 112
EAR file names 105
inactive user sessions 122
logging for 111
rebuilding 103
SAS Deployment Manager
and 101
SAS Web Administration
Console 86
starting 18
warning message 122
web authentication 167, 237
for Java 168
RESTful web services 168
transport-layer security 169
Web authentication
See authentication
Web Service Maker 160, 167
web services
CA SiteMinder 168
configuring 161
deleting 161
generated 160, 167
security for 166
third-party authentication 168
XMLA 167
webanon account 269
WebDAV
Index
See also DAVTree utility
adding resources to repository
283
content management with
DAVTree utility 282
copying or moving files 285
deleting packages 287
editing text files 285
permissions for folders and
files 147
WebDAVDump utility 137
WebDAVRestore utility 137
work area
creating for themes 177
WS-Security message-level
security 167
X
XMLA web services 167
357
358 Index
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising