Connecting from SAS 9.4 to Azure Quickstart
The SAS Viya Azure Quickstart is a reference architecture for users who want to deploy the SAS platform, using microservices and other cloud-friendly technologies. By deploying the SAS platform in Azure, you get SAS analytics, data visualization, and machine-learning capabilities in an Azure-validated environment.
The following SAS Viya environment is built in the Microsoft Azure cloud.
As we can see, the CAS controller is in a private subnet and by default not accessible from the public internet.
Beginning with SAS 9.4M5, you can submit code to SAS Viya 3.3 and later releases of Cloud Analytic Services (CAS). From a SAS session with the CAS server, you can load data to CAS server memory. Then, you can save tables in CAS server memory and submit DATA step code, SAS Viya Analytic procedures, CAS server utility procedures, and Base SAS procedures.
Recently, I was contacted by a Danish colleague Christian Christensen who asked me how he could connect from a Windows on-premise SAS94 DI Studio client, to the CAS Viya controller in an Azure Quickstart, to load data.
This is accomplished in one of two ways. First, by creating a CAS libname that connects a SAS session to a CAS session. Or, you could start a CAS session directly in the SAS94 client and make use of PROC CAS. The issue with the Azure Quickstart is natively the CAS controller doesn’t have a public IP address and as such we can’t connect to the 5570 CAS port.
All is not lost, however. The process outlined in the steps below provide instructions on how to assign a public IP to the CAS controller for access to the SAS environment.
Make the CASController accessible
Go to the networking Settings of the controller Virtual Machine and click on Network Interface: CASController NetworkInterface.
In Network interface screen, click on IP configurations. You should see ipconfig1 with a Private IP address but not Public IP address. Double click on ipconfig1.
Link a Public IP to the configuration by clicking on the Associate button.
As we don’t want to use an existing IP address, click Create new.
Provide a name to the IP address. It’s good practice to make it a static IP.
Next, associate this IP to the interface by clicking Save.
If the association is successful, you should see a Public IP address associated to the CASController_NetworkInterface.
Now let’s test the connection. When we try to curl port 5570 with the newly created IP address it doesn’t work.
The reason for the failure is we first must open port 5570 for the allowable IP address or Range.
Note: as the user, you must fill in the Port and Source fields appropriate for your environment.
After configuring the port for the IP address, the curl to port 5570 should successfully resolve.
Whereas we have cleared access to SAS, we are not still not ready to load data from our SAS9 client to CAS. Before submitting programs to the CAS server from SAS 9.4, security certificates must be in place and you must be authorized to connect to the CAS server. For more information, see Configure SAS 9.4 Clients to Work with SAS Viya and Client Authentication Using an Authinfo File.
Setting up the Client Authentication
Let’s start with creating the _authinfo file to authorize the client to connect to the CAS server. I followed an internal blog created by my colleague Gilles Chrzaszcz.
Here are the key steps:
cd c:\Users\myuserid\
copy /y nul _authinfo
icacls _authinfo /inheritance:r
icacls _authinfo /remove “NT AUTHORITY\system”
icacls _authinfo /remove “BUILTIN\Administrators”
icacls _authinfo
Next, edit the _authinfo and make sure there’s an entry like this:
host controller.viya.sas port 5570 user sasadmin password ****
Be sure your hostname is named controller.viya.sas because the certificate is created on that hostname. You can also use PROC PWENCODE to encode the password.
Also, add an entry to your C:\Windows\System32\drivers\etc\hosts file (replacing the ip address for your environment).
13.94.135.211 controller.viya.sas
Continuing on, let’s see if we can start a CAS session from our SAS client.
options cashost="controller.viya.sas" casport=5570;
cas mySession user=sasadmin;
ERROR: Windows SSL error -2146869244 (0x80096004) occurred at line 2696, the error message is "The signature of the certificate cannot be verified. "
ERROR: Secure communications error status 807ff008 description "40.113.77.78: Windows SSL error-2146869244 (0x80096004) occurred at line 2696, the error message is "The signature of the certificate cannot be verified. ""
ERROR: Windows SSL error -2146869244 (0x80096004) occurred at line 2696, the error message is "The signature of the certificate cannot be verified. "
ERROR: The TCP/IP negClientSSL support routine failed with status 807ff008.
ERROR: Encryption run-time execution error
ERROR: Failed to connect to host 'controller.viya.sas', port 5570.
ERROR: Unable to connect to Cloud Analytic Services controller.viya.sas on port 5570. Verify connection parameters and retry.
As you can see from the error message, we need to import some certificates from SAS Viya. I highlight the process in the next section. You can follow the full instructions in the documentation: Configure SAS 9.4 Clients to Work with SAS Viya.
Setting security certificates in place
On the CAS controller navigate to the /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts directory.
By using the keytool command (as seen below) I knew to use controller.viya.sas as the CASController hostname. It’s for this reason I added it in the hosts and _authinfo file on the client side.
keytool -printcert -v -file trustedcerts.pem | grep DNSName
GeneralName: DNSName: .gr
GeneralName: DNSName: .eu
GeneralName: DNSName: .edu
GeneralName: DNSName: .org
DNSName: localhost
DNSName: controller
DNSName: controller.viya.sas
DNSName: *.controller.viya.sas
DNSName: *.controller
DNSName: services
DNSName: services.viya.sas
DNSName: *.services.viya.sas
DNSName: *.services
To continue, let’s open the vault-services-ca.crt (located in the cacerts directory). An example of the file follows (output shortened for brevity).
[sasdemo@sasserver cacerts]$ cat vault- services-ca.crt
-----BEGIN CERTIFICATE-----
MIIFJzCCAw+gAwIBAgIUT56HJhX9lBChchj+lnjOz0QYclAwDQYJKoZIhvcNAQEL .................. CIfCBnAMPnysgf1DFAyj9bva75oqJIE8n7lDwCUkAt/IU
fEI0QxdhGAZTf4gnkIW2ioHavoKN8LLWY8hvdb5ylg2YdnimMIvUy30rJdcUEzFa
o2vLH+ors9vVT7z86ZS2fk0uqS9h8dF5TLOp
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEeDCCAmCgAwIBAgIUc+A1qJ32ANwuCxOR9YUp9qn8ciQwDQYJKoZIhvcNAQEL ................. rPNJidenyCDBjG0V7QegoQiy0UVGKUti1g2Ydn9juss+ii
MQ/mYIJktWsc6+wlZesvWeEoToe6+lm9/Mc4WojfzNd0BxMEnK/Ga2vNGPY=
-----END CERTIFICATE-----
The file contains two certificates: the SAS Viya root CA certificate and the SAS Viya intermediate CA certificate. These files must be imported into the Window’s certificate store one at a time. This requires the creation of two unique files, one containing the root CA and the other containing the intermediate CA certificates. Use a text editor and cut and paste as appropriate.
Use the instruction from SAS documentation to import the two CA Certificates into the Windows Trusted Root Certificate Authorities Store.
Now it’s time to check if we can start a CAS session.
/* STARTING CAS SESSION */
cas mySession user=sasadmin;
cas mySession sessopts=(caslib=public);
/*SUBMIT CAS LIBNAME*/
LIBNAME CASDM CAS CASLIB=PUBLIC PORT=5570 SERVER="controller.viya.sas" ;
17 /* STARTING CAS SESSION */
18 options cashost="controller.viya.sas" casport=5570;
19 cas mySession user=sasadmin;
NOTE: The session MYSESSION connected successfully to Cloud Analytic Services controller.viya.sas
using port 5570. The UUID is c9a2cf49-fa10-9644-8024-36de2ce7403e. The user is sasadmin and the
active caslib is CASUSER(sasadmin).
NOTE: The SAS option SESSREF was updated with the value MYSESSION.
NOTE: The SAS macro _SESSREF_ was updated with the value MYSESSION.
NOTE: The session is using 0 workers.
20 cas mySession sessopts=(caslib=public);
NOTE: 'Public' is now the active caslib.
NOTE: The CAS statement request to update one or more session options for session MYSESSION completed.
Success!
And with that you have everything in place to load data directly into CAS. You can use PROC CASUTIL:
proc casutil;
load data=sashelp.cars casout="cars1" promote;
run;
quit;
or, a SAS DATA step:
data CASDM.CARS2;
set sashelp.cars;
run;
proc casutil;
promote casdata="cars2";
run;
quit;
cas mySession terminate user=sasadmin;Here is a repeat of the above steps with log information included:
24 proc casutil;
NOTE: Writing HTML Body file: sashtml.htm
NOTE: The UUID 'c9a2cf49-fa10-9644-8024-36de2ce7403e' is connected using session MYSESSION.
25 load data=sashelp.cars casout="cars1" promote;
NOTE: SASHELP.CARS was successfully added to the "Public" caslib as "CARS1".
26 run;
27 quit;
NOTE: PROCEDURE CASUTIL used (Total process time):
real time 2.16 seconds
cpu time 0.32 seconds
28 data CASDM.CARS2;
29 set sashelp.cars;
30 run;
NOTE: There were 428 observations read from the data set SASHELP.CARS.
NOTE: The data set CASDM.CARS2 has 428 observations and 15 variables.
NOTE: DATA statement used (Total process time):
real time 2.29 seconds
cpu time 0.04 seconds
32 proc casutil;
NOTE: The UUID 'c9a2cf49-fa10-9644-8024-36de2ce7403e' is connected using session MYSESSION.
33 promote casdata="cars2";
NOTE: Cloud Analytic Services promoted table CARS2 in caslib Public to table cars2 in caslib Public.
NOTE: The Cloud Analytic Services server processed the request in 0.00117 seconds.
34 run;
You should see two datasets in PUBLIC Caslib.
I’m now set up exactly the same way a local SAS Studio session allows me to connect to the Azure CAS controller.
By using the caslib _all_ assign statement I can see and work with the CASLIBS of the Azure Quickstart environment.
Finally
So, with that we were able to connect to a CAS instance which is in a private Azure Virtual Network. The architecture of the Azure Quickstart has been well thought out and set up to allow only HTTPS traffic over the load-balancer. But it’s good to know you have a quick alternative to connect directly to the CAS port controller, allowing your own on-premise SAS94 server to connect as a client.
