Hi all,
some questions and considerations about the SAS Environment Manager, from which basically I look for quick answers coming from your experiences.
1- Woult it make sense to you to publish SAS EVM on http if the other SAS web applications work under https?
2- If SAS Environment Manager is not working, and never worked before: would it make sense to you to un configure (completely) the related components and re-configure/re-deploy again on all the machines of a SAS deployment?
3- Any known issue when SSO is configured on the web?
4- SAS environment manager has a 1-1 relationship with its own SAS level. Has anyone ever implemented SAS environment manager to monitor and manage more than 1 SAS configuration level at a time? Would this make sense to you, to be able to see and control all your SAS environment from a single view?
I am aware of the option to export alerts/monitors from SAS Environment Manager to a 3rd Party monitoring tool.
And an extra question, that it might bring not so quick answers:
- Considerations for deployment more than one SAS level/ SAS Environment Manager agents on the same machines, specially on Grid environments.
Thank you all in advance!
Best regards,
Juan
1. Woult it make sense to you to publish SAS EVM on http if the other SAS web applications work under https?
It depends upon your security requirements : generally speaking, securing an end-user to server communication channel like browser <=> Http server is always recommended these days. If your end-users are already accessing the Http server from a tightly-controlled environment (e g end-to-enf flow controlled, no internet access, no USB ports etc.) then I suppose, setting up HTTPS for a monitoring/administrative tool would not be so stringent.
The trouble with EVM is that it sometimes doesnt fit well with TLS/SSL : for instance, if you install SAS EVM behind a reverse proxy Http server holding the TLS/SSL certificate {browser accessing external UTRL on HTTPS} <=> { http proxy with SSL certificate} <=> {SAS EVM on Http out of the box } - then you will face troubleshooting ; support for these kind of topology has come only recently and requires some patches :
http://support.sas.com/kb/56/688.html
Check also with these notes :
http://support.sas.com/kb/56/465.html
http://support.sas.com/kb/56/451.html
(all notes provided to me by Nicolas from SAS France TS )
2- If SAS Environment Manager is not working, and never worked before: would it make sense to you to un configure (completely) the related components and re-configure/re-deploy again on all the machines of a SAS deployment?
I don't think so. SDM Deconfiguration tool (?) can be intrusive and partial, leaving some parameters unchanged in the PostGRE/WIP. I'd try fix it piecemeal and independently as much as I can.
3- Any known issue when SSO is configured on the web?
Never tried.
4- SAS environment manager has a 1-1 relationship with its own SAS level. Has anyone ever implemented SAS environment manager to monitor and manage more than 1 SAS configuration level at a time? Would this make sense to you, to be able to see and control all your SAS environment from a single view?
Smart question. Since SAS EVM is provided as one instance for a single installment, I suppose it will require some tweakings to make it work with several platforms - if ever technically feasible which remains to be confirmed. I think this might depend upon your physical/logical SS topology : for instance, if environments are physically ('host') separated then it's going to be painful or impossible, but if you install several environments on the same hardware (Dev + Tst on Machine set A, Prod on set B) logically separated then you might share one EVM instance somehow. On thr other hand, putting together some parts only to have a single EVM instance might look like a strong requirement.
I beleive sas env agents reads deployment files to populate sas env man with all resources in inventory. http is okay for all web apps when you are in your private network, why you want to keep just env manager on http and others at https?
monitoring from single portal all your sas configuration is i beleive posible, I will get back to you on this
Thanks @GyaniBaba
The question about http/https is just curiosity of mine. Specially since, if you select https during the installation for SAS EVM, http is still open. You need to follow some post-configurations in order to close it and make work properly the callback URLs.
Monitoring from a single portal is one of the question on what I am most interested.
Looking forward to discovering what you can find out, @GyaniBaba! 🙂
1. Woult it make sense to you to publish SAS EVM on http if the other SAS web applications work under https?
It depends upon your security requirements : generally speaking, securing an end-user to server communication channel like browser <=> Http server is always recommended these days. If your end-users are already accessing the Http server from a tightly-controlled environment (e g end-to-enf flow controlled, no internet access, no USB ports etc.) then I suppose, setting up HTTPS for a monitoring/administrative tool would not be so stringent.
The trouble with EVM is that it sometimes doesnt fit well with TLS/SSL : for instance, if you install SAS EVM behind a reverse proxy Http server holding the TLS/SSL certificate {browser accessing external UTRL on HTTPS} <=> { http proxy with SSL certificate} <=> {SAS EVM on Http out of the box } - then you will face troubleshooting ; support for these kind of topology has come only recently and requires some patches :
http://support.sas.com/kb/56/688.html
Check also with these notes :
http://support.sas.com/kb/56/465.html
http://support.sas.com/kb/56/451.html
(all notes provided to me by Nicolas from SAS France TS )
2- If SAS Environment Manager is not working, and never worked before: would it make sense to you to un configure (completely) the related components and re-configure/re-deploy again on all the machines of a SAS deployment?
I don't think so. SDM Deconfiguration tool (?) can be intrusive and partial, leaving some parameters unchanged in the PostGRE/WIP. I'd try fix it piecemeal and independently as much as I can.
3- Any known issue when SSO is configured on the web?
Never tried.
4- SAS environment manager has a 1-1 relationship with its own SAS level. Has anyone ever implemented SAS environment manager to monitor and manage more than 1 SAS configuration level at a time? Would this make sense to you, to be able to see and control all your SAS environment from a single view?
Smart question. Since SAS EVM is provided as one instance for a single installment, I suppose it will require some tweakings to make it work with several platforms - if ever technically feasible which remains to be confirmed. I think this might depend upon your physical/logical SS topology : for instance, if environments are physically ('host') separated then it's going to be painful or impossible, but if you install several environments on the same hardware (Dev + Tst on Machine set A, Prod on set B) logically separated then you might share one EVM instance somehow. On thr other hand, putting together some parts only to have a single EVM instance might look like a strong requirement.
Thanks a lot @ronan and great answers!
I am very glad to read that we share similar impressions and ideas about those deployments which some leave which similar questions.
1. HTTPS/SSL:
I faced the latest 2 notes and are part of my most used notes at this moment.
Since M2 there are additions to post-configuration steps that are not part on the Instructions.html, but on the SAS 9.4 Platform Intelligence guide for installations.
The first note never had to face it, thanks!
2. Deconfigure SAS EVM:
I could guess it, and it is what I was doing to this very moment. I am facing now one installation of SAS EVM which was configured when no SSL or SSO, then SSL, SSO and migration happened. I think I could fix the issues for SSL, but it is not working yet and I have the feeling that there is something really wrong over there. That is why that tricky question, before bothering SAS Technical Support with a hard question.
3. SSO:
D*mn it! 🙂
4. Different SAS level EVM agents on a single EVM instance:
Indeed, if I think about it, I can see several reasons to not to do it, due to the increasing close relationships: APM/ACM, not the BackupManager, the EVM database, its depencencies with the VA Audit reports and PostgreSQL...
Even if, let's say, I want just the monitoring functionality and no one of the other nice additions, I can hardly see tweaking an option due to the big impact, specially on maintenances or migrations. I might do it on a personal installation to play and test my understanding of the SAS architecture, but probably never on a customer, unless there is a better option that a batch of tweaks.
All in all, this is a bit of a grey area to me, but yours was the best answer so far. I will leave the conversation open without solution for a while. If no better answer, I will accept yours as solution because it was great.
I know that option but never tried, yet!
Do you know if Exports require to have EVM up and running or only the Agents? Have you tried Exports?
Neither did I. I suppose the exports requires the EVM to be up and running since Agents are only configured as "slaves" to the central "Master" EVM Server. As Nik from Boemska told me once, EVM is only the SAS via VMWare Proprietary version (a fork) of the Hyperic HQ open source product,
http://hyperic-hq.sourceforge.net/
so maybe - I would't know - there is a workaround to expose the agents/DWR metrics to a third-party application without relying on SAS EVM. I am doubtful.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.