Hi there,   first question here: is your PSQL database the internal crunchy one or is it external, and if it is external, can you provide more information? ... View more

There is an excellent question of which I am curious about the stand from SAS. However, I hope you are aware that you might have open a tiny pandora box right there 🙂 The topic can be as short or as long as much attention it will receive.   I cannot give you your answers, but I can give some thoughts as former Java and CC++ programmer.   One side of the coin: Memory-safe programming languages, like Java,  are generally considered safer than other languages, like C or C++, as they provide their own memory management system and, hence, making harder (not impossible) direct memory access and tampering with pointers. Yet, one must consider that this "virtualization" or management layer is not necessarily ideal: it opens the gate to serious storage issues, lack of garbage collection and, perhaps the most notorious aspect, specially regarding SAS, it is very hard to fine tune them for performance, as there is a layer managing what you do and how at the lowest level. If you have taken the SAS Base programming courses I to III, you probably know by now how SAS operates with the data, allowing very fast results and calculations (if not, I highly suggest them!). This is possible thanks to being able to fine tune the memory management and pointers.   Other side of the coin: those considerations are stronger, for both sides, when you don't do your due diligence while programming. It is also broadly known that there is no reason at all for programming languages like C, C++, to be less secure than Java. Meaning, you need to spend extra time and efforts, testing, finding the exceptions, handling them, coming up with bright ideas on how to handle them, etc. This of course applies to the cons I mentioned to program languages like Java.   Therefore, we can agree that products from C or CC++ can be less secure than products from Java, albeit offering more performance. This would be generally speaking and perhaps for programming skill levels around average. These considerations are less applicable when you observe and manage well your code. Over time.    Now, coming back to SAS, I personally have not seen many security exploits in Base SAS and Base SAS components, however I have seen many coming from the HTML and Java components. In fact they are really frequent. In the meantime, SAS continues being exceptionally fast and accurate, albeit doing operations sequentially instead of with random access to disk! While, as a techy,  I am curious about updating the underlying language in which SAS is architected (or other applications are programmed), I feel as the current formula works really fine.  So, perhaps, I would like to ask you, what do you see in SAS engines (SAS, CAS, etc) that make it less secure? I would like to hear your thoughts, and from anyone. Thanks in advance, in case you would spend some time sharing your thoughts and experiences. ... View more

Excellent post which I think it could be adapted in the documentation of SAS Viya 4! Not only for this particular subject, but for anything referring to adjusting workloads / label /taints.    I often receive the question of how to handle the customization of pod workloads, and I often have to add information to the official documentation. I think your post covers it well! ... View more

The reason why I was detailed on the list of checks was also to point you out in the direction of items to do in case you have not done it yet. What else do you need? ... View more

Okay, I understand you have SSO working with Kerberos and SAS working fine. Does this mean..? your SAS EG users can login with IWA already, without credentials? Does a kinit & klist work giving you a valid ticket? Have you enabled your SAS Servers (starting with SAS Workspace server) to enable working with Kerberos? Eg: -authkerb -princ your-service-account@YOUR.REALM.COM -keytab /path/to/service-account.keytab Do you have a keytab created for your UPN and SPN as I indicated earlier? Eg: ktutil addent -password -p your-service-account@YOUR.REALM.COM -k 1 -e RC4-HMAC wkt /path/to/service-account.keytab   Did you set your SAS startup scripts to load the environment variables? export KRB5_KTNAME=/path/to/service-account.keytab export KRB5_CONFIG=/etc/krb5.conf export SAS_USE_KERBEROS=1   Having you already have done this: You need to configure your SLQ database for Kerberos authentication, to allow GSSAPI You created a SPN for the database (ensure it is registered in your SPNs together with the SPN of your SAS service) Test your Kerberos Authentication, without SAS, with your SQL server client of choice In SAS Metadata, have an Authentication Domain for your database. Meaning: a) create a group for your database users, include your users, in connection tab add the login of your service account to database connection (UPN?), assigning a label to your Authdomain (eg, SQLAuth); Optionally in addition, in your library, point to the database and the chosen Auth Domain. If you do this, when you use the libname generated by the metadata, the authdomain will be automatically used. If you your code (eg autoexec) use the libname, just use the "authdomain" when it is not taken directly from the metadata. Do test your connection This being said, I assume your service account, your users, the SAS server and the SQL server are under the same domain tree, and not in branches or other domains. If you need to cross domains, Kerberos/SSO will not work (or it is quite challenging and not supported by Microsoft, Linux or SAS).   If you or your team have enough confidence in Kerberos, you can probably achieve it by yourself. If not, as you see it has some complexity, I would highly advise to reach out to a certified SAS professional, either in SAS or an specialized partner.         ... View more

Generally, association via “Open with” then "another app" from your contextual menu should do the trick. Or with the SAS Deployment Manager installed on your machine. Alternatively: * via Apps then Default Apps * Or, more technical, via your registry editor in HKEY_CLASSES_ROOT ... View more

Thanks! Please let us know how it goes. Hopefully this will allow you to make progress ... View more

Hi there, Did you see the message and tried to Google for SubscriptionNotEnabledEncryptionAtHost? The answer comes immediately 😉 You need to enable this for your VMs/instances at a subscription level. Do check if it’s available in your region first. ... View more

Hi there,   there are several options, this one is relatively easy, shared a while ago by @PaulHomes : https://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-realmd/   realmd can make the life easy for the first step, which is the OS side.   From here, you will need to ensure the Kerberos registration in AD through a service account (UPN) trusted for delegation, which contains the SPNs of your SASservice/host.domain and of your database too, as documented. ... View more

Hi there, Not sure if all of you are running SAS locally with EG or connecting to a server but: - SAS EG is not particularly designed to run long jobs. For that purpose, please do schedule a batch job, instead of being interactive. There are many ways to do it, feel free to pick one. - For client/server connections, on one hand your connections might have been terminated by your network and how your virtualization software is configured. Please do align with your IT departments. - There is a keepalive configuration option that can help sometimes, from the SAS configuration point of view. ... View more

Hi there, I am not sure if that code can be changed as Patrick suggested. Is it part of your EG project? From my point of view it seems like a code created a long ago by @gwontoon, and made standard for EG operations. But I might be wrong. This being said and put aside, I would check for the metadata permissions of your user/service account to read metadata of the SAS Application server and its underlying SAS servers (eg Logical SAS Workspace Server), in the SAS metadata. Be really careful with explicit vs inherited vs ACT provided permissions and their priorities. When all of this is okay I have seen cases where the faulty issue could be physical permissions on the logs folder, saswork or sasuser. Or the log on as batch job on windows. In some very rare cases, but always in grid setups I have seen issues on the configuration of the Object Spawner, where the High Availability/failover custom configurations lead to missing changes and forgetting to change the name of the Application Server. I suggest to make these checks, carefully, and in order as presented. ... View more

Thanks for the confirmation @ravikumar901  and special thanks to you @gwootton for pointing out the relevant patch 😉 ... View more