SAS/Connect
and
SAS/Secure

 

8/17/2010
Eric Low

 

Setting up a User Accounts for SAS/Connect:

See this document. First, you'll need an account to run the spawner service with. It should have the following rights:

- Act as part of the operating system
- Adjust memory quotas for a process (previously called Increase quotas)
- Replace process level tokens
- Log on as a service (because when you change the service's properties to run with this user, it will tell you that it assigned this right)

You'll then need to create an account for each client that wishes to log on. Those accounts need the following rights:

- Log on as a batch job

 

 

Setting up the spawner service

 

First, just to make sure the spawner functioned at all, I installed it (as a service) by typing the following (from the C:\Program Files\SAS\SASFoundation\9.2\ directory):

spawner -service sas_spawner -install

 

 

Add the following to the SERVICES file (located in the c:\windows\system32\drivers\etc\ directory):

sas_spawner 5555/tcp #SAS Spawner

 

 

Setting up SAS/Connect with SSL

 

To import Trusted CA Certificate (on both client and server):

Start->Run->certmgr.msc

Right click on the Trusted Root Certification Authorities folder and select All Tasks->Import.

 

 

Because the machine was not a member of Active Directory, I could not use MMC with the Certificates snap-in (normally you would right-click on the Personal folder from here and select All Tasks->Request New Certificate. However, in my case, it just yelled about not being able to contact an Active Directory Server).

Create a csr.inf with the following information:

[NewRequest]
Subject="CN=Eric Test1,OU=Eric Test Server,O=DataStat Inc,L=Ann Arbor,S=Michigan,C=US"
Exportable=TRUE
KeyLength=2048
MachineKeySet=TRUE
KeySpec=1

Then, run certreq to generate the request:
certreq -new csr.inf newreq.pem

Note that I *should* have been able to specify FriendlyName="My Name" under the [NewRequest] section. I could not, however, get this to work. It always threw an error. Once I removed that option, it ran fine.

I then copied this file to our CA and signed it by typing /usr/lib/ssl/misc/CA.pl -sign which created a newcert.pem file.

I copied this back to the workstation and ran:
certreq -accept newcert.pem

After I did this, I could still not see it in the Certificate Manager (certmgr.msc). Apparently, I had to import the signed certificate. I right-clicked on the Personal folder and selected Import. I navigated to the newcert.pem file, clicked Next and all that, and voila! It now showed my certificate under Personal folders. See, who the hell needs Active Directory??

Note that once the certificate is showing up in the Certificate Store, it will let you select Properties and then change the Friendly Name.

Now, to get SAS running with SSL!

Normally, I would add the spawner by running the following from the command line (from the SAS installation dir):

spawner -service sas_spawner -install -comamid tcp

 

*** When I installed the spawner this way, it would crash immediately upon startup. The event viewer indicated the following error:

Faulting application name: spawner.exe, version: 9.21300.19370.57226, time stamp: 0x4baadf90
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b802
Exception code: 0xc0000374
Fault offset: 0x00000000000c6df2
Faulting process id: 0xe04
Faulting application start time: 0x01cb357599a46cb1
Faulting application path: C:\Program Files\SAS\SASFoundation\9.2\spawner.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: d8b8675a-a168-11df-b0f1-485b39cadb65

When I tried starting it manually from the Services program, a pop-up window would appear with the following error:

Windows could not start the SAS Job Spawner service on Local Computer.
Error 1067: The process terminated unexpectedly.

The -service option specifies the port that you want the spawner to listen on. You used to be able to specify a keyname/alias from the services file here. As it turns out, either with SAS v9.2 or with Windows 7 64-bit (I'm not sure which), you can no longer specify the service key name here! Instead, you must specify the actual numeric (tcp) port. Therefore, when I installed it with the following command line, it started just fine (completely omitting the -service option worked as well):

spawner -service 5555 -install -comamid tcp

*** Note that installing the spawner without the -service option will default to it listening on port 23 (telnet). And who the heck wants that?!

*** Note that installing the service this way will set both the key name and the display name to the same thing, which is "SAS Job Spawner."

Now, I tried installing it to force encryption (using SAS/Secure). Here is the command I used:

spawner -service 5555 -install -comamid tcp -netencrypt -netencralg aes -netencralg des

The -netencrypt option forces an encrypted connection, and will not connect otherwise. The -netencralg option specifies the algorithm to use. Because I used the option twice, it will use the first algorithm if the client supports it. If not, it will try the next one. If that still does not work, the client will be unable to connect.

When the client tries to connect but cannot because of an encryption negotiation failure, the following error will appear in their SAS log:

NOTE: Script file 'tcpwin.scr' entered.
ERROR: Script file interpretation terminated due to error.
ERROR: A communication subsystem partner link setup request failure has occurred.
ERROR: recv call failed, lost connection with client.
ERROR: Remote signon to SASSREMOTE1 cancelled.

*** Note that after I installed the spawner as a service, I went into that service's properties and changed the Log on as account to one with the rights specified above. *** Note also that those permissions are not enough! I had to grant Administrator rights to that account to get the service to stop terminating as soon as it started. It appeared to have something to do with ntdll.dll once again. So, I'm missing something.

 

However, if you want to force it to use SSL, I would install it using the following command:

spawner -security -netencryptalgorithm ssl -sslcertsubj ThisSubject

-servpass
-servuser

At first when I tried adding this, I got the error, "ERROR: Unrecognized encryption algorithm." I thought maybe I was mistaken about SAS supporting SSL without purchasing the $1300 SAS/Secure module! I went back and checked their documentation which clearly states that SSL is separate from SAS/Secure, and a license is not required. So why would it not accept the -netencryptalgorithm ssl option??

I read somewhere that you could not specify a netencryptalgorithm option, other than sasproprietary, under Windows unless a Cryptographic Service Provider (CSP) was provided (such as the CryptoAPI). I am not terribly familiar with the CryptoAPI, but under Services I saw "Cryptographic Services," which was started, so for now I'll assume it's ok.

According to this, you can access (and should see) the previously installed cert through IE (from Tools->Internet Options->Content->Certificates). I could not see it under the Personal tab, so I tried re-importing the signed key file. It once again told me the import was successful, but it still did not appear in that list (even though from certmgr.msc, it did appear in the list under the Personal folder).

Let's try this again. Apparently XP Pro comes with IIS 5.1, with a 10-user license. Who knew?? So, I went to Control Panel->Add/Remove Programs->Add/Remove Windows Components, and installed it (note that if you're looking for the IIS Configuration Console, which is normally sitting right there in the Start Menu when you actually install Windows Server with IIS, the installation on XP Pro put it under Computer Management).

I then obtained the IIS 6.0 Resource Kit Tools so that I could create a self-signed certificate.

 

 

As it turns out, SAS with SSL requires Certificate Services to be installed on the server. This cannot be installed on Windows XP Pro. I've read that it can be installed on Windows 2000, but I do not see it under Add/Remove Windows components, so perhaps that was referring to W2k Server. Luckily, it is installable on Windows 7.

For SSL, you are required to have, as this page says, "Microsoft Certificate Services add-on software. For SAS/CONNECT, a client session that runs on a computer that has a Trusted CA Certificate. This is necessary in order for a SAS/CONNECT client session to connect to a SAS/CONNECT server session via a Windows spawner using SSL encryption. The Windows spawner must run on a computer that has a Trusted CA Certificate and a Personal Certificate."

 

To change the default SAS work directory

The configuration settings are stored in a file called sasv9.cfg in the C:\Program Files\SAS\SASFoundation\9.2\nls\en\ directory. Up near the top of the file I found a line that read -WORK "!TEMP\SAS Temporary Files". I changed this to read -WORK "E:\SASTemp".

I also changed the default user profile folder by changing the -SASUSER "?CSIDL_PERSONAL\My SAS Files\9.2" line to -SASUSER "F:\MySAS".

 

*** To check if you have SAS/Secure installed, look for a file called tcpdcapi.dll in the C:\Program Files\SAS\SASFoundation\9.2\securwin\sasexe directory.

Signing on through SAS/Connect

Communication Access Methods for SAS/Connect

Certreq.exe options

http://www.cs.virginia.edu/~gsw2c/GridToolsDir/Documentation/ImportTrustedCertificates.htm

Great explanation of using certreq.exe to generate a request

Encryption in SAS 9.2

Encryption in SAS 9.2 (pdf)

NETENCRALG system option

Importing/exporting certificates/private keys

A comparison of encryption algorithms in SAS v9.1