SAS & IWA: Reviewing SPNs

My last post was about configuring additional Service Principal Names (SPNs) in Active Directory to support the use of Integrated Windows Authentication (IWA) in a SAS® platform installation that uses host name aliases in preference to physical host names.

When working on a SAS & IWA setup like this, I’d start by reviewing the currently registered SPNs for all of the SAS servers involved (as well as any other servers that might be accessed from a SAS server using IWA). This gives an idea of what SPNs might have already been added, which ones still need to be added, and potentially which ones might need to be removed.

This is the command I use Continue reading “SAS & IWA: Reviewing SPNs”

SAS & IWA: Host Name Aliases and SPNs

I’m quite keen on using host name aliases, rather than their physical host names, when referring to machines in SAS® platform installations. It does however mean a little extra configuration is required when using Integrated Windows Authentication. That is what this post is about: configuring Active Directory with additional Service Principal Names (SPNs) based on the aliases.

Host name aliases have several benefits over using physical host names. They can be easier to remember (e.g. sasmeta v.s. p106547). They can be easily redirected from primary environments to disaster recovery environments (e.g. sasmeta from p106547 to d106547) with no client reconfiguration requirements. They also allow host machines to be readily renamed if/when required with little or no changes to SAS configuration files, programs and/or metadata.

Whilst they have obvious benefits, Continue reading “SAS & IWA: Host Name Aliases and SPNs”

SAS Management Console over SSH

I was asked recently how to get SAS® Management Console to remotely access a SAS metadata server using SSH tunnels. In the absence of a VPN connection to your network, SSH can be an alternative for SAS Management Console access to a remote SAS metadata server.

I am a huge fan of SSH (Secure Shell). I have been using it several times a day for many years now. It’s great. If you haven’t heard of SSH before, take a look at the Wikipedia page for Secure Shell. Here’s a quote from the page that provides a nice intro/summary:

Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network.

Here are a couple of methods for using SAS Management Console over SSH:

1. Remote execution of SAS Management Console with X11 forwarding to the client

This method can be used when you are accessing a SAS platform installation on Linux or UNIX and have SSH client software and X server software on your remote workstation. Mac or Linux workstations are great for this since they usually have all the required software pre-installed. Windows can also be used if you obtain SSH client and X server software. I personally use Putty as an SSH client when I am working on Windows and would defintely recommend it. I have no specific recommendations for an X server on Windows since it’s been a long time since I’ve done X on Windows.

Assuming, as a SAS platform administrator, you have remote SSH access to the SAS metadata server machine then you can use SSH from your workstation to execute the SAS Management Console remotely and forward the X display to your client workstation.

Here’s an example command to do this:

ssh -X sasmeta.example.com /opt/sas93/SASManagementConsole/9.3/sasmc

Which means SSH connect, with X11 forwarding, to the machine sasmeta.example.com and then execute the SAS Management Console (/opt/sas93/SASManagementConsole/9.3/sasmc) on that remote machine sending the X windows back to the client workstation.

2. Local execution of SAS Management Console with SSH tunneling

SSH also allows you to configure a tunnel – a local port on your workstation that that forwards traffic to a designated server and port in the remote network. This tunnel can be used to make a remote service appear to be a local service. We can use it to make a remote SAS metadata server port appear to be on the local workstation so that a local installation of the SAS Management Console can connect to it as if it had a local metadata server.

Here’s an example command to do this:

ssh -L 8561:sasmeta.example.com:8561 sasmid.example.com

Which means SSH connect to the machine sasmid.example.com and establish a local machine port (8561) that forwards traffic to the remote host/port sasmeta.example.com:8561 accessible via sasmid.example.com. If you are not using public key authentication (recommended) then you will be prompted for a user id and password for the server. Once the connection is active, a local SAS Management Console can be started and will be able to access the remote SAS metadata server using a connection profile that connects to a metadata server on host/port localhost:8561. All traffic to this local port will be sent to the remote metadata server over the SSH tunnel.

Bear in mind that this only makes the metadata server port available on the local machine. So the local SAS Management Console instance can only access the metadata server. It doesn’t necessarily make the client fully functional as it may require additional connections to additional servers e.g. access to a SAS Object Spawner for a SAS Workspace Server session or a connection to the SAS Content Server. You could look into forwarding other ports and will also need to modify your local hosts file to redirect the remote host names found in metadata to the localhost interface. For anything more complex than pure metadata server access it would probably be easier and more robust to use a VPN connection (or remote access via something like X or RDP to remote network client workstations).

New SAS BI Book: a good read for Platform Administrators too

I’ve just added a link to the new Building Business Intelligence Using SAS: Content Development Examples book by Tricia Aanderud and Angela Hall to my reading list of information resources I find useful for SAS® platform administration. Their book is not just for BI content developers. I think it’s a good read for SAS platform administrators too. It helps us to understand what the BI people do and is also packed with information on what we can do to support them.

A large proportion of the SAS platform administrators I speak to in Australia come from a systems administration background rather than a SAS background (my wildly inaccurate guess would be about 50%). Those new SAS admins have great knowledge of sys admin but might have only just been introduced to the SAS platform. They’ve heard lots of terms like metadata, libraries, stored processes, cubes, information maps, prompts, web reports, dashboards, portlets and portal pages. Their customers, the SAS users, talk to them about applications like SAS Enterprise Guide, SAS Information Map Studio, SAS Information Delivery Portal, SAS Web Report Studio, SAS OLAP Cube Studio, SAS Add-In for Microsoft Office and SAS BI Dashboard. You can imagine it’s quite daunting when you’re starting out as a SAS admin! When I talk to them, the first things they want to understand are what do all these terms mean, what are all of these applications used for, and what do I need to know about them to be able to support my users. I think this new book is another great resource to help answer those questions and get a better understand of the needs of the SAS user community.

The book consists of many short practical examples of typical activities BI content developers need to do. I like that there are lots of screenshots showing you exactly where you need to be. When the BI developer needs administrator assistance, the instructions are provided right there in context. If the BI developer is also an administrator they can keep going without stopping. If they need an administrator to help them, that’s where they can phone, or send them an email, outlining what’s required based on what they see in the book. If you’re reading the book as an administrator you can see the administration task in context to know why someone might be asking you to perform that task for them.

Some of the admin related things you’ll see in the book include: a high level overview of the purpose of the various SAS client applications; registering library and table metadata and updating table metadata; granting application capabilities through roles; pre-assigning libraries & controlling library assignment mode; turning on ARM logging to tune OLAP cubes; OLAP member-level security; identity based filters for BI row level security; scheduling reports; and configuring portal group content administrators.

You can order the book from SAS Press and it’s also available from Amazon. I understand that there’s an eBook edition coming soon too.

I’m looking forward to meeting the authors in person at the SAS Global Forum next month. We’ll have our copy of the book with us to see if we can get it signed :)

I’d also recommend following Angela and Tricia’s blogs: Real BI for Real Users and Business Intelligence Notes. They have a new book on the way too: The 50 Keys to Learning SAS Stored Processes.

If you know of any other books that you think would be a good read for a SAS platform administrator please let me know.