Hello All
I have come across the following statements
1. When a SAS program connects to a data base , and the program sends authentication details to the database, the details are transmitted in clear text
2. When the database authentication details are stored in Authentication domain in the metadata server, metadata server transmits passwords to the database in encrypted form
However my understanding is that in either case the passwords are transmitted in the same fashion .
I would appreciate if somebody can enlighten on this?
Just to complete what @Kurt_Bremser mentioned:
Introduction to How SAS/ACCESS Works - http://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.2&docsetId=acreldb&docsetTarget=p0h7i...
SAS Security - http://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.2&docsetId=acreldb&docsetTarget=n020g...
Securing Data
SAS preserves the data security provided by your DBMS and operating system. However, SAS/ACCESS does not override the security of your DBMS
All in all, 2 comments:
- You can always see/test by yourself, by putting a network sniffer between the SAS server and your database and capture the packages when the DBMS connection is set active. And you will get your answer, if it is understandable text or not.
- I would recommend you to drop this question at SAS Technical Support. This question on security seems to be the perfect fit for them, who can provide you the best and official answer.
That’s probably a question for tech support.
Hello @thesasuser,
The answer it is actually much easier. Traditionally, a SAS libname to a database looks like this, showing user and password, which sill be shown as is on the logs. Not very secure.
libname mydata odbc complete="driver=SQL Server;
user=user-ID;
pwd=password;
database=SQL-database;
Server=server-name"
schema=schema-name;
However, if you have a SAS Metadata server, you can store your credential, besides on the libname definition, but on a system named an Authentication Domain. This Auth Domain is no more and no less than a name (say you call it myDBAuth). This name, will be atttached to your DB connection and to an account stored in the metadata. If this account is stored in a SAS usergroup insted of a SAS user, all the users in this group will connect to that database using the credentials on the account, and you will never see the password on the log.
Let me recommend you give a read to these docs:
http://support.sas.com/documentation/cdl/en/mcsecug/69854/HTML/default/viewer.htm#aboutum.htm as good introduction
Thanks JuanS_OCS.
I appreciate your time and effort in replying to my query.
However my question is about how the authentication details are passed from the SAS metadata server to the database.
Is it plain text or encrypted. ?
My understanding is that whatever method one uses to connect to the database from SAS, (via authentication /domain metadata server route or directly using either libname / or proc sql connect to...) the credential would be passed in the same way.
I was wondering if anybody from the community could answer this?
Thanks LinusH.
I appreciate your time and efforts in replying.
I am sorry your reply does not answer my question.
SAS uses the DB client to communicate with the DB. Since that client has to be installed on the SAS server, all communication with it runs over memory-protected sockets in the local environment, no encryption necessary. How that client then communicates with the DB server over the network connection is determined there, not in SAS.
@thesasuser wrote:
Thanks LinusH.
I appreciate your time and efforts in replying.
I am sorry your reply does not answer my question.
Just to complete what @Kurt_Bremser mentioned:
Introduction to How SAS/ACCESS Works - http://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.2&docsetId=acreldb&docsetTarget=p0h7i...
SAS Security - http://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.2&docsetId=acreldb&docsetTarget=n020g...
Securing Data
SAS preserves the data security provided by your DBMS and operating system. However, SAS/ACCESS does not override the security of your DBMS
All in all, 2 comments:
- You can always see/test by yourself, by putting a network sniffer between the SAS server and your database and capture the packages when the DBMS connection is set active. And you will get your answer, if it is understandable text or not.
- I would recommend you to drop this question at SAS Technical Support. This question on security seems to be the perfect fit for them, who can provide you the best and official answer.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.