Documente Academic
Documente Profesional
Documente Cultură
Updatethelogin.configfileinyourSASconfigurationdirectorysothatitcontainsthenecessary
referencestothewebdomain.
2.
Addinformationaboutsecurityconstraints,anauthenticationmethod,andsecurityrolestotheSAS
LogonManagerapplication.Whenyoureinstalltheapplication,provideasecurityroletouserorgroup
mappingtoindicatewhichusershavepermissiontoaccesstheapplication.
3.
CopySASJARfilestotheWebSphereApplicationServerinstallation.
4.
UsingtheIBMWebSphereIntegratedSolutionsConsole(knownastheadministrativeconsole),update
informationabouttheloginmodulesthattheserverusesforauthenticationandauthorizationwhenthe
systemisconfiguredforWebauthentication.Youmustmodifyinformationforsomeloginmodulesand
addinformationforothers.
5.
ConfiguretheSASRemoteServicesapplicationsothatitsclasspathincludesthelocationofthe
WebSphereApplicationServerclassesthatrepresentJavaAuthenticationandAuthorizationService
(JAAS)principals.LogonManagerretrievesthecurrentSubjectfromWebSphereApplicationServer
andpassesittoRemoteServices.
6.
EnsurethatthecorrectJREisused.
7.
RestartRemoteServicesandWebSphereApplicationServer.YoucanalsorestarttheMetadataServer.
8.
Verifytheconfiguration.Youmightneedtocreateawebauthenticationdomainandaddnewaccounts
inthatdomainforusers.
SelectSecurityGlobalSecurity.
UnderUseraccountrepositoryAvailablerealmdefinitions,selectFederatedrepositories.
3.
4.
ClickSetascurrent.
SelectConfigureOntheconfigurescreen,typeinyouradminusernameinPrimaryadministrative
usernameandexceptallotherdefaults.
5. ClickOktogotothenextscreen.
6. TypeintheadminpasswordandclickOk.
7. SelectGlobalsecurity.
8. CheckEnableadministrativesecurityandEnableapplicationsecurity.
9. Optionally,UseJava2securitytorestrictapplicationaccesstolocalresources.
10. ClickOkandsavethechanges.
YoumustrestartyourDMGRforthechangestotakeeffect.
ToconfigureWebSphereusersforauthentication,followthesesteps:
SelectManageUsers.
SelectCreate
TypeinuserID,suchassasdemo,andfillinotherfields.ClickCreate.YoucancreateasmanyuserIDsas
needed.
Formoreinformationaboutconfiguringauserregistry,seeChapter2:Configuringtheuserregistryinthe
WebSphereApplicationServerV7.0SecurityGuide.IfyouhaveDefaultApplication.earinstalledanditsroleAll
Roleismappedtoauserorgroup,youcanverifytheconfigurationbyaccessingaWebapplicationonthe
server.YoucanusesnoopbyopeningaWebbrowsertohttp://HOSTNAME:9080/snoop.IfWebSphere
ApplicationServerisconfiguredcorrectly,WebSphereApplicationServerasksyouforcredentialsthatarestored
intheuserregistry.
Beforebeginningthisconfiguration,besurethattheWebSphereApplicationServerthatishostingSASWeb
applicationsisrunning.Attheendoftheprocedure,youmuststartorrestartRemoteServicesandall
WebSphereApplicationServerprocesses.
required
"debug"="false";
};
SCS {
com.sas.services.security.login.OMILoginModule
required
"host"="metadataserverhost "
"port"="8561"
"repository"="Foundation"
"domain"="DefaultAuth"
"trusteduser"="sastrust@saspw"
"trustedpw"="encodedpassword"
"aliasdomain"="web"
"holdopenconnection"="true";
"debug"="false";
};
ThedefaultvalueofaliasdomainisMidtierInternal.
UsetheWebSphereadministrativeconsoletostopanduninstallSASWebInfrastructurePlatform
applications(SASWebInfrastructurePlatformApplications9.3).Youneedtomakechangestothe
correspondingSASconfigdir/Lev1/Web/Staging/sas.wip.apps9.3.ear(EAR)file.
2.
Extractthesas.wip.apps9.3.earfilesothatyoucanaccesstheWEB-INFdirectoryforLogon
Manager.
a.
Inatemporarydirectory,extracttheEARfile.Youcanusethejarcommandtodothis:
jar xvf sas.wip.apps9.3.ear
Filesas.svcs.logon.warisavailableintheextracteddirectory.
b. Inasecondtemporarydirectory,extractsas.svcs.logon.war.YounowhaveaccesstotheLogon
Manager WEB-INFdirectory.
3.
Editthefileweb.xmlintheWEB-INFdirectorytoaddinformationaboutsecurityconstraints,an
authenticationmethod,andsecurityroles.Forexample,justabovetheclosing</web-app>tag,you
mightaddtheseelements:
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SASWebUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<role-name>SASWebUser</role-name>
</security-role>
Inthisexample,allpagesareprotectedandonlyuserswhohavebeenassignedtheSASWebUserrolecan
accessthem.
4.
BeforeyourebuildtheWARandEARfiles,changedirectoriesfromtheWEB-INFdirectorytothelib
directoryinsideit,andcopytheseJARfilestoatemporarylocation:
sas.core.jar
sas.oma.omi.jar
sas.security.sspi.jar
sas.svc.connection.jar
sas.svc.sec.login.jar
sas.svc.sec.login.websphere.jar
log4j.jar
Note:ThisstepisnotpartofupdatingSASWebInfrastructurePlatformapplications.However,itis
preparationforalaterstepinconfiguringWebauthentication.
5.
RebuildtheWARandEARfiles.Youcanusethejarcommandtocreatethesefiles:
jar cvf sas.svcs.logon.war *
jar cvf sas.wip.apps9.3.ear *
6.
CopytheEARfiletoyourstagingdirectory.However,donotoverwritetheoriginalEARfileunlessyou
alreadymadeabackupcopy.
SelectApplicationsEnterpriseApplications.
2.
ClickCheck:SASWebInfrastructurePlatfomApplications9.3.ear.SelectUninstall.Savetheresults.
3.
ClickInstall.
4.
OntheSpecifytheEAR,WAR,JAR,orSARmoduletouploadandinstallpage,selecttheLocalfile
systemorRemotefilesystemradiobutton,andthenbrowsetothelocationoftheEARfile.Selectthe
EARfileandclickOK.ClickNext.
5.
Finishrunningtheinstallationwizardbyacceptingalldefaults.
6.
FromtheEnterpriseApplicationspage,selectthenewlyinstalledapplication.
7.
Onthepageforthatapplication,settheclassloadingbehaviorfortheEARfile:
a.
ClickClassloadingandupdatedetection.
b. OntheClassloaderpage,setClassloaderordertoClassesloadedwithlocalclassloaderfirst.
(LeavetheWARclassloaderpolicysettoClassloaderforeachWARfileinapplication.)
8.
ForeachWARfileintheEARfile,settheclassloaderbehavior:
a.
Onthemainpageforconfiguringtheapplication(EAR),clickManageModules.
b. ClickthenameoftheWebmodule(WARfile)thatyouwanttoconfigure.
c.
OntheconfigurationpagefortheWARfile,changethevalueofClassloaderordertoClassesloaded
withlocalclassloaderfirstandclickOK.
d. ClickOKtoclosetheManageModulepage.
9.
SetthestartuporderbyselectingStartupbehavior,settheStartupordervalueto3,andthenclickOK.
10. SetthesecuritymappingbyclickingtheSecurityroletouser/groupmappinglink.Maptherole
SASWebUsertousers.Ifthisoptionisnotappropriateforyoursite,thenconsidermappingtheroleto
groupsthataredefinedinyouruserregistry.Thefollowingfigureshowsanexampleofmappingtherole
tothegroupsasusersthatisdefinedintheuserregistry.
Note:IfyoudonotseetheRolethatyouenteredintheweb.xmlfile,thencheckthatthecorrectEARfile
isdeployedandthatthechangestotheweb.xmlfilearecorrect.
SelectSecurityGlobalSecurityJavaAuthenticationandAuthorizationServiceApplication
logins.
2.
ForthePFSalias,makethesechangestotheloginmodule.
a.
Writedownthepropertiesusedforthismodule,forexample:
b. Deletethemodule.
c. Createanewmoduleofclassname:
com.sas.services.security.login.TrustedLoginModule
d. Addthepropertiesyourecordedandanewcustompropertywiththesevalues.
e.
f.
Name:aliasdomain
Value:DefaultAuth
Note:IfyouchoseanauthenticationdomainvalueotherthanDefaultAuthwhenyouranthe
SASDeploymentWizard,thenusethevalueyouchose.
ChangethevalueofthecustompropertydomainfromDefaultAuthtoweb.
Makesureitsorderis 1(one)andauthenticationstrategyisSufficient.
3.
FortheSCSalias,changethepropertiesassociatedwiththeloginmodulecom.sas.services.
security.login.OMILoginModule.
4.
Addanewcustompropertywiththesevalues.
Name:
Value:
aliasdomain
web
SelectSecurityGlobalSecurityJavaAuthenticationandAuthorizationServiceSystemlogins
WEB_INBOUNDJAASloginmodules.
2.
ClickNew,providethisinformation,andclickOK.
Moduleclassname:com.sas.services.security.login.websphere.WSTrustedLoginModule
Authentication strategy: OPTIONAL
3.
SelectthemodulethatyoujustcreatedandthenclicktheCustomPropertieslink.
4.
OntheCustompropertiespage,foreachofthesenamevaluepairs,clickNew,enterthenamevalue
pair,andclickOK.
Name:
aliasdomain
Value:
DefaultAuth
Name:
debug
Value:
false
Name:
domain
Value:
web
Name:
host
Value:
metadata-server-host
Name:
port
Value:
Name:
repository
Value:
Foundation
Name:
trustedpw
Value:
Name: trusteduser
Value:
sastrust@saspw
WAS_INSTALL_ROOT/plugins/com.ibm.ffdc.jar
WAS_INSTALL_ROOT/plugins/com.ibm.ws.admin.core.jar
WAS_INSTALL_ROOT/plugins/com.ibm.wsfp.main.jar
WAS_INSTALL_ROOT/plugins/com.ibm.ws.runtime.jar
WAS_INSTALL_ROOT/lib/bootstrap.jar
WAS_INSTALL_ROOT/plugins/com.ibm.ws.emf.jar
WAS_INSTALL_ROOT/plugins/org.eclipse.emf.ecore.jar
WAS_INSTALL_ROOT/plugins/org.eclipse.emf.common.jar
WAS_INSTALL_ROOT/lib/j2ee.jar
Important:Youmustentertheclasspathallononeline,withoutspacesorcarriagereturns.
Windows
ForWindowsmachines,theRemoteServices.batscriptshouldresemblethefollowingexample:
:start2
start "SAS Remote Services" "%JAVA_JRE_COMMAND%" ^
-classpath "%CLASSPATH%" ^
-Dsas.ext.config="D:\Program
Files\SAS\SASFoundationServices\9.3\sas.java.ext.config" ^
-Djava.system.class.loader=com.sas.app.AppClassLoader
-Dsas.app.launch.config="%PICKLIST%" ^
-Dsas.app.repository.path="%SASVJR_REPOSITORYPATH%" ^
-Dsas.app.class.path="%REMOTESERVICESDIR%;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ffdc.jar;
C:\IBM\WebSphere\AppServer\lib\bootstrap.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.admin.core.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.wsfp.main.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar;
C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.emf.jar;
C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.ecore.jar;
C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.common.jar;
C:\IBM\WebSphere\AppServer\lib\j2ee.jar" ^
-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false
-Dmulticast_udp_ip_ttl=1 ^
-Dsas.vjr.dir="%SASVJR_REPOSITORYPATH%"
-Dsas.lev.dir="%LEVEL_ROOT%" -Dsas.home.dir="%SAS_HOME%" ^
Dsas.services.information.types.path="D:\Program
Files\SAS\SASPlatformObjectFramework\9.3\plugins" ^
-Dsas.vm.identifier=Lev3:5093 ^
-Xms128m -Xmx128m -XX:+UseTLAB
-XX:+UseConcMarkSweepGC -XX:+DisableExplicitGC
-Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Xss256k
-XX:NewSize=16m -XX:MaxNewSize=16m -XX:PermSize=64m -XX:MaxPermSize=64m ^
com.sas.framework.services.bootstrap.SASRemoteServices
goto end
IfRemoteServicesisstartedasaWindowsservice,thenyoumustmakethesamemodificationtothe
SAS-config-dir\Lev1\Web\Applications\RemoteServices\wrapper.conf
file.Thepartofthefilethatsetstheclasspathshouldresemblethefollowingexample:
# This numbering starts at the endpoint of the including wrapper.conf
wrapper.java.additional.3=-Dsas.app.class.path="C:\SAS\Config\
Lev3\Web\Applications\RemoteServices;C:\IBM\WebSphere\AppServer\plugins\
com.ibm.ffdc.jar;C:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.admin.
core.jar;C:\IBM\WebSphere\AppServer\plugins\com.ibm.wsfp.main.jar;C:\
IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar;C:\IBM\WebSphere\
AppServer\lib\bootstrap.jar;C:\IBM\WebSphere\AppServer\plugins\com.
ibm.ws.emf.jar;C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.
ecore.jar;C:\IBM\WebSphere\AppServer\plugins\org.eclipse.emf.common.jar;
C:\IBM\WebSphere\AppServer\lib\j2ee.jar"
UNIX
ForaUNIXmachine,theclasspathpropertyissetbeneaththestart2tagandthechangesshouldresemblethefoll
owingexample:
start2)
"$JAVA_JRE_COMMAND" -Dsas.ext.config="/opt/SAS/SASFoundation
Services/9.2/sas.java.ext.config" \ -classpath "$CLASSPATH" \
-Djava.system.class.loader=com.sas.app.AppClassLoader \
-Dsas.app.launch.config="$MERGER_PICKLIST" \
-Dsas.app.repository.path="$SASVJR_REPOSITORYPATH" \
-Dsas.app.class.path="$REMOTESERVICESDIR" \
com.sas.framework.picklist.PicklistMerger \
-primary"$PRIMARY_PICKLIST" \ "$PICKLIST" \ "$SECONDARY_PICKLIST1"
\ "$SECONDARY_PICKLIST2" cd $REMOTESERVICESLOGSDIR nohup
"$JAVA_JRE_COMMAND" -Dsas.ext.config="/opt/SAS/
SASFoundationServices/9.2/sas.java.ext.config" \
-classpath"$CLASSPATH" \
9
-Djava.system.class.loader=com.sas.app.AppClassLoader \
-Dsas.app.launch.config="$PICKLIST" \
-Dsas.app.repository.path="$SASVJR_REPOSITORYPATH" \
-Dsas.app.class.path="$REMOTESERVICESDIR:/opt/IBM/WebSphere/AppServer/
plugins/com.ibm.ffdc.jar:/opt/IBM/WebSphere/AppServer/plugins/com.
ibm.ws.admin.core.jar:/opt/IBM/WebSphere/AppServer/plugins/com.ibm.
wsfp.main.jar:/opt/IBM/WebSphere/AppServer/plugins/com.ibm.ws.runtime.
jar:/opt/IBM/WebSphere/AppServer/lib/bootstrap.jar:/opt/IBM/WebSphere/
AppServer/plugins/com.ibm.ws.emf.jar:/opt/IBM/WebSphere/AppServer/
plugins/org.eclipse.emf.ecore.jar:/opt/IBM/WebSphere/AppServer/plugins
/org.eclipse.emf.common.jar:/opt/IBM/WebSphere/AppServer/lib/j2ee.jar" \
-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false
-Dmulticast_udp_ip_ttl=1 \ ...
StartSASManagementConsoleandconnecttotheSASMetadataServer.
2.
SelectApplicationManagementConfigurationManagerSASApplicationInfrastructure.
3.
RightclickSASApplicationInfrastructureandselectProperties.
4.
SelectAdvanced.
5.
ClickAdd.
6.
SelectPropertyName,enterWebApp.AuthDomain.
7.
SelectPropertyValue,enterweb.
8.
ClickOKuntilyouareoutofthedialogs.
1.
UseSASManagementConsoletocreateanauthenticationdomainnamedweb.
a.
RightclickUserManagerandselectAuthenticationDomains.
b. ClickNew,enterwebintheNamefield,andclickOK.
2.
ChooseatrialuserIDthatexistsinyouruserregistry.UseSASManagementConsoletocreateauser
definitionfortheuserinthewebauthenticationdomain.Donotenterapasswordfortheaccount.
3.
TryloggingontoaSASWebapplicationwiththeuserID.
Ifthelogonattemptfails,viewtheSASMetadataServerlog.LookfortheformatoftheuserIDthatwasusedin
thelogonattempt.UseSASManagementConsoletomodifytheuserdefinitionsothattheuseraccountinthe
webauthenticationdomainmatchestheuserIDinthelog.Whileyouaretroubleshooting,donotentera
passwordintheuserdefinitionbecauseithasnoeffectonWebauthentication.Also,donottryloggingonwith
aninternalaccountsuchassasadm@saspw.
Note:AspartofWebauthentication,theuserIDbutnotthepasswordischeckedagainsttheuseraccountsthat
arestoredintheSASMetadataRepository.TheuserIDusedtoauthenticatewiththeuserregistrymustmatch
exactlytheuserIDstringfoundontheSASMetadataServerforauthenticationtosucceed.Forexample,ifjoeis
theuserIDinyouruserregistry,theexactuserIDstringjoemustalsobefoundintheSASMetadata
Repositorywithoutaprefixeddomainname.
FORM Authentication
UsethefollowinginstructionstosetupasimpleFORMauthenticationwithWebSphere7.0andSAS9.3.
1.
Toenablethecustomlogoffmessage,followtheinstructionsatSample36785:Creatingacustom
messagetodisplaywhenuserslogoffortimeoutoftheSASBusinessIntelligenceWebapplications.
2.
Extractthesas.wip.apps9.3.earandsas.scvs.login.warfilesusingtheinstructionsinsection
ModifyLogonManager.
3.
Modifythe<loginconfig>sectioninweb.xmlasshownintheexamplebelow.Thespecificationofthe
<formloginpage>and<formerrorpage>arerequired,buttheassociatedfilenamescandifferfromthe
example.Thefilesalsocanbe.jsp files insteadof.htmlfiles.
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form Auth</realm-name>
<form-login-config>
<form-login-page>/was_login.html</form-login-page>
<form-error-page>/form_error.html</form-error-page>
</form-login-config>
</login-config>
4.
Createaloginformanderrorpagefilethatarereferencedintheweb.xmlfile.Therestofthepagecanbe
formattedperthecustomersneeds.TheACTIONspecifiedintheexampleisrequiredforsuccessfullogin
withWebSphere.Alsousetheexactnamevaluesintheinputfields.
Loginformcodeexample(was_login.html):
<FORM METHOD=POST ACTION="j_security_check">
<p>
<font size="2"> <strong> Enter user ID and password: </strong></font>
<BR><br>
<strong> User ID</strong> <input type="text" size="20"
name="j_username">
<Br>
10
Savethefilesinrootlevelofsas.scvs.login.war.
6.
Modifythecustom_logoff.jspfile.Thefollowingexampleautomaticallyexecutesuponlogoff,and
redirectsyoubacktotheloginpage.
TheACTIONspecifiedintheexampleisrequiredtoinvalidatetheauthenticatedWebSpheresession.
Otherwise,customizetothecustomersrequirements.
<html>
<body onLoad="submitForm()">
<FORM METHOD=POST ACTION="ibm_security_logout" NAME="myForm" ID="myForm">
</form>
</body>
<script type='text/javascript'>
document.myForm.submit();
</script>
</html>
7.
Rebuildthe.warfileand.ear fileasdescribedinStep5oftheModifyLogonManager.
8.
Reinstallsas.wip.apps9.3.ear.
9.
RestartWebSphereserverinstance.
11
Recommended Reading
AsofDecember20 12:
IBMCorporation,2009.WebSphereApplicationServerV7.0SecurityGuide.
ibm.com/Redbooks.Availableathttp://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf.
SASInstitute,Inc.,2011.SAS9.3IntelligencePlatform:SecurityAdministrationGuide.Cary,NC:
SASInstitute,Inc.Availableat
http://support.sas.com/documentation/cdl/en/bisecag/63082/PDF/default/bisecag.pdf.
SAS and all other SAS Institute product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other
countries. Other brand and product names are registered trademarks or trademarks of their respective companies.
indicates USA registration.
Copyright 2012 SAS Institute Inc., Cary, NC, USA. All rights reserved.
12
December 12, 2012