Does anyone have any real-world experience installing, configuring, or otherwise using RSA SecurID authentication for SAS users on a UNIX platform? I am particularly interested in speaking with anyone using Enterprise Miner.
As background, we run a SAS 9.2 M3 Enterprise BI Server environment that includes Enterprise Miner 6.1. Individual users are defined in the system Metadata server and authenticate using "DefaultAuth". Enterprise Miner users launch the client using Java Web Start. Additionally, selected users connect to the server using Enterprise Guide (v 4.3) and others use SAS/CONNECT from full-blown PC clients (Win XP, Vista, and Win 7).
When a user attempts to connect to the server and is presented with a "password" dialog box, he must enter the "password" derived from his SecurID token. This "password" changes every 30 seconds. In other words, our users do not have "host account" passwords. Everything works just fine for SAS/CONNECT and Enterprise Guide users. Once a connection is made, it remains in effect for the user to do whatever he wants.
However, because of an design I still don't fully understand, Enterprise Miner works differently. Apparently, each "node" of an EM "project" causes a new SAS session to be started on the server (by the Object Spawner) and EM attempts to start the new session using the cached credentials (which have certainly expired). Obviously, this makes Enterprise Miner pretty useless.
Does anyone else have a similar environment and if so, would you be willing to help me with a solution? I do have an open track with SAS Tech Support but they share my frustration (apparently I am the only site in the world with this problem ;> ).
Thanks in advance,
Bob
PS - I'm going to post this same message to SAS-L. I hope that doesn’t offend anyone but there are so many different places where SAS users congregate these days.
Hi Bob,
Sounds like an interesting scenario.
If you don't get any better suggestions from SAS tech support and others, I would suggest you look at the possibility of converting the workspace server to SAS token authentication. That way the initial connection to the metadata server will be done using the password derived from the SecurID token, but then subsequent connections to the object spawner to launch workspace servers will not use cached credentials but SAS tokens (a trust mechanism based on the fact that the metadata server has already authenticated the user). A potential downside to this (which may or may not be an issue for you) is that the spawned SAS processes will then run as an operating system service/proxy account (like sassrv) instead of the requesting user and this needs to be considered in relation to file system access controls. It will also apply to all users of that workspace server in other applications too. Another consideration might be to have a dedicated application server with its own workspace server configured for SAS token auth specifically for SAS EM clients.
Cheers
Paul
Hi Bob,
Sounds like an interesting scenario.
If you don't get any better suggestions from SAS tech support and others, I would suggest you look at the possibility of converting the workspace server to SAS token authentication. That way the initial connection to the metadata server will be done using the password derived from the SecurID token, but then subsequent connections to the object spawner to launch workspace servers will not use cached credentials but SAS tokens (a trust mechanism based on the fact that the metadata server has already authenticated the user). A potential downside to this (which may or may not be an issue for you) is that the spawned SAS processes will then run as an operating system service/proxy account (like sassrv) instead of the requesting user and this needs to be considered in relation to file system access controls. It will also apply to all users of that workspace server in other applications too. Another consideration might be to have a dedicated application server with its own workspace server configured for SAS token auth specifically for SAS EM clients.
Cheers
Paul
Hi Paul,
Thanks for your suggestion. As it turns out, this is a fine solution (at least I hope so). Rather than change the existing workspace server, we are going to create a new "Application Server Context" just for Enterprise Miner users. That "context" will have it's own workspace and stored process servers (configured to different ports) and using SAS Token Authentication as you suggest. That way our Enterprise Guide users can continue to use their own IDs as normal.
I have tested this in a "practice" BI environment and it works great. As soon as I get my server upgraded to Solaris 10 this weekend, I will be installing a new BI environment with SAS 9.3 and setting this up.
This has been quite the learning experience! Thanks to you and some fine followup support from SAS Tech Support, I think we are finally on track to solving our very frustrating problem.
Bob
Well, it's three years later and I'm on SAS 9.4m2 two node Grid on RHEL 6.x and needing to do some security hardening with the RSA SecurID. Is RSA working for you and do you have any tips about installing and configuring for EGuide and EMiner?
I suggest you create a new post with a link back to this one. The reason being this post is already marked as answered so many participants won't bother to check it.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.