BookmarkSubscribeRSS Feed
doq
Fluorite | Level 6 doq
Fluorite | Level 6

Hi, I am a newb to SAS.  We are implementing SAS Office Analytics on GCP (Google Cloud Platform) and are having problems getting to SAS Studio from outside the cloud (i.e., our corp. network).

 

So, I have installed SAS OA as a 3 machine configuration (SAS App/Metadata/Mid-Tier) in our GCP VPC.  We have set up load balancer with the backend directed to the SAS Mid-Tier server on port 7980 (the default).  Access to servers in the VPC is, of course, restricted and is controlled via a bastion server on port 22, hence the need for the LB.  The load balancer is HTTPS on the front end (i.e., coming into the cloud) and HTTP on the backed (i.e., inside the cloud going to SAS).

 

Our problem is that when we attempt to open a SAS Studio connection through the load balancer, we are seeing that SAS redirects the browser to a logon URL for SAS using the local (cloud) host name for the Mid-Tier server, which is not defined in the public network outside the cloud.  This of course fails for DNS name resolution.  We have attempted for troubleshooting/testing purposes to add the FQDN for the Mid-Tier server in a local hosts file on the originating PC with an IP of the load balancer, and this gets us past the name resolution but not into the SAS Server.  Still working on that from a cloud perspective.

 

NOTE: I have tested the failing URL from the redirect using a cURL on the SAS Mid-Tier and it works, so, this looks to be a cloud/connectivity related issue vs. a SAS OA/SAS Studio issue 

 

So, my question, is there another way to configure this to make it work?  Am I missing something in the configuration?  Is there some way I can prevent that bounce back redirect or specify our 'SASCLOUD' host name that is defined for the LB outside of GCP?  Any help/suggestions here would be greatly appreciated...

 

Thanks, Dennis

6 REPLIES 6
JuanS_OCS
Amethyst | Level 16

Hello @doq,

 

yours is a very interesting question.

 

First, I have to say, the subject of the topic seems to be a bit confusing/misleading, since you are asking about web configuration (on SAS 9.4? on SAS Viya?) but you mention SAS DI as well, which does not really seem to be very related. 

 

Now, going to the point, I think that something in your configuration is mixing up the Internal URL addresses with the External URL addresses.

 

How did you achieve connection from the "outside world" you your SAS server? I can think of:

 

Depending on your configuration, you will need to look into different places: the web server acting as reverse proxy, SAS metadata, configuration files, firewall configuration, DNS configuration, or even a mix of them.

 

If it is the 1st option, a reverse proxy configuration, if it is SAS 9.4, and there is something your IT teams cannot understand, there is a chance that something is wrong in the SAS metadata configuration. SAS Metadata defines the redirect rules, also for internal and external URLs (and its detection). If this is the case, and since it is a bit complex to analyse in detail your problem from here, if you do not feel comfortable with making changes in SAS, I would highly recommend you to get support from SAS and get an specialised Consultant on-site. Perhaps you can start with contacting SAS Technical Support, or your SAS representative.

 

If your configuration is based on the second or third option, while SAS/we can help you, the main responsibility is on your IT teams shoulders.

 

PS. configuration options for Viya/CAS are there http://documentation.sas.com/?docsetId=calserverscas&docsetTarget=n08000viyaservers000000admin.htm&d...

However, no details for internal/external addresses, just a single point of entry.

 

Kind regards,

Juan

 

 

 

 

doq
Fluorite | Level 6 doq
Fluorite | Level 6

Hi Juan,  Thanks for your reply, I am sorry, I do not know how I got that title on this post.  I have changed the subject line and hopefully that will get the title too.

To Clarify, this is all about SAS Office Analytics 9.4M5 running on Google Cloud (with a 3 machine configuration (SAS/Metadata/Mid-Tier)).

 

As described in my opening post, we have a LB front end as the entry point into GCP and the SAS server(s).  The DNS entry name for the LB IP address is completely different from the cloud SAS Mid-Tier server host name (sascloud...com (external) vs. sas-mao-midtier...internal (internal).  The problem arises when we try to hit the cloud sas server.  We get there fine, but, it 'redirects' us from

 

https://sascloud.homedepot.com/SASStudio (note, the port (7980) is added on by the LB via the back end configuration)

to...

https://http://sas-mao-midtier.c.gcp_project.internal:7980/SASLogon/login?service=http://sas-mao-midtier.c.g...

 

So, the real question is how to control this redirect.  NOTE: if we modify the redirect URL, we can get in, and we get a login prompt for ID/psw.  If we enter a bad psw, we correctly get and invalid password response.  If we enter a good ID/psw, then we get an error: "The application is not authorized to use SAS Logon Manager."

 

We would like to not have to use the SASLogon link of course, so, the preferable solution would be to fix the redirect issue.  However, we will also need to correct the actual login issue as well (The application is not authorized to use SAS Logon Manager.)

 

Any help with this would be greatly appreciated....

JuanS_OCS
Amethyst | Level 16

 Hello @doq,

 

thank you! That, I believe, it fully clarifies the problem. And it is much more simple than I initially guessed.

 

The problem is that SAS, by default and for security reasons, block incoming and outgoing HTTP requests from unknown URLs/hosts. The only one known, by default, are the ones set up during deploying time. I expect the initial deployment was done with internal URLs only, hence, the external/cloud ones, are unknown.

 

SAS manages those known URLs with a whitelist, in the SAS metadata.

 

Problem Note 55044: SAS® Web Infrastructure Platform applications (including SAS® Logon Manager) might be vulnerable to Cross-Site Request Forgery attacks http://support.sas.com/kb/55/044.html

 

Whitelist of Websites and Methods Allowed to Link to SAS Web Applications http://documentation.sas.com/?docsetId=bimtag&docsetTarget=p1xtsni38p58t3n1ljd2fy4c3joz.htm&docsetVe...

 

 

This is your parameter to change:

 

sas.web.csrf.referers.knownHosts
Specify the URL of servers, other than SAS servers, that can perform certain actions within the SAS installation. This allows users to add additional known hosts to the list of known hosts that are automatically calculated by the system. Specify as a comma-separated list.
To enable hostname1.example.com and hostname2.example.com, enter the following: http://hostname1.example.com/,http://hostname2.example.com/.
Note: Omitting the trailing slash could allow sites to use a prefix attack to bypass these protections.
Note: You can restrict a value to an application on the whitelisted site by including the application's path in the value. Here is an example: http://hostname.example.com/my-application/.
Note: By default, during a migration of a product from one version to another version, the value for this property continues to specify the source server.

 

Once you do it, you will need to restart your middle tier to take effect the change.

 

Hope it helps!

 

Kind regards,

Juan

doq
Fluorite | Level 6 doq
Fluorite | Level 6

Thank you Juan, I like that answer.  Unfortunately, due to this problem, I have not been able to figure out how to access the SAS Management Console.  How do I configure this *without* the management console?  Still searching the conf directories, but can't find that parm...

JuanS_OCS
Amethyst | Level 16

Hello @doq,

 

I think you can do this, in this case, only with the SAS management console.

 

You can always do a remote connection to the server (RDP or SSH) and open SAS Management Console from the server itself and use the internal hostname.

doq
Fluorite | Level 6 doq
Fluorite | Level 6

Thank you Juan, I *don't* like that answer as much...  ;)....  However, that is what I finally did last night.  Spun up a windows instance in the cloud, copied the SAS Software Depot to that new instance, and then installed the client packages there, where I could reach my SAS servers on the 'local' network.  Unable to open the management console from my desktop (using Mobaxterm since our SAS is on Linux) due to the similar issues.  Our direct access to the servers is via tunneling through a bastion server and though I set up a tunnel in Mobaxterm and was able to connect via a Mobaxterm PuTTY session, the sasmc command would not work.

 

Still trying to figure out why SAS cares about the host name outside the LB.  I would think that the LB would change the DNS entry/target host name on the URL to the real host (i.e., metadata server name) on the back-end, which means that our SAS should never see that 'external' (to the cloud) host name we are using on the corporate network.

 

Thanks much, D

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 6 replies
  • 2192 views
  • 2 likes
  • 2 in conversation