Using SAS92HFADD & ViewRegistry on Windows Server 2008 R2

In my earlier post on Reviewing Installed SAS 9.2 Software and Hotfixes I mentioned that I ran into a few User Access Control issues on Microsoft Windows Server 2008 R2 when using the SAS ViewRegistry Report utility and the SAS 9.2 Hot Fix Analysis, Download and Deployment Tool (SAS92HFADD).

To get the SAS ViewRegistry Report and SAS92HFADD utilities functioning correctly on Windows Server 2008 R2, the User Access Control (UAC) feature will require you to go through a few extra hoops (unless you have it disabled). UAC is a security feature that, when enabled, means that administrators log in and operate as standard users most of the time, and when they need to do something that requires elevated privileges they will be prompted by Windows (or as I also found out sometimes silently blocked). If you want more information (and a fuller explanation of UAC) then read the Microsoft document User Account Control Step-by-Step Guide.

If you run your server with UAC disabled then you can just follow the SAS instructions as normal and disregard this particular blog post. Of course running with UAC disabled is not normally recommended. I seriously considered turning it off, but decided I would try to ‘do the right thing’ and also use it as a learning experience. After a bout of UAC frustration I spoke to one of my friends who specializes in Microsoft technologies and he told me he leaves UAC enabled and tends to have an administrative PowerShell window open for when he needs to do some admin things.

In this post I’ll explain what I needed to do, in addition to the SAS provided instructions, to get those utilities working on Windows Server 2008 R2 with UAC enabled.

ViewRegistry Report

The SAS ViewRegistry Report utility is used to generate HTML and text reports listing the SAS software and hotfixes currently installed. You can also feed the output of this utility into the SAS92HFADD utility to generate another report detailing the appropriate available hotfixes that have yet to be installed, together with scripts to download and install them.

When I followed the usage note instructions for Windows and just double-clicked on sas.tools.viewregistry.jar I found nothing happened. I then opened up a command window and ran java -jar sas.tools.viewregistry.jar which gave me a bit more information as shown below:

c:\Program Files\SAS\deploymntreg>java -jar sas.tools.viewregistry.jar
java.io.FileNotFoundException: C:\Program Files\SAS\deploymntreg\registry.lck (Access is denied)
Exception in thread "main" java.lang.NullPointerException
at com.sas.tools.viewregistry.Report.collectRegistryData(Report.java:98)
at com.sas.tools.viewregistry.Report.main(Report.java:66)

I was logged on as someone who was an administrator (sas), so I knew it wasn’t a file system permission issue and must be related to UAC. To run sas.tools.viewregistry.jar with elevated permissions I right-mouse-clicked over the Command Prompt item in the Windows Start Menu, and clicked the Run as administrator menu item:

This opened an Administrator: Command Prompt window where I issued the following commands to run the ViewRegistry Report utility as an administrator:

cd "C:\Program Files\SAS\deploymntreg"
java -jar sas.tools.viewregistry.jar

This time it worked, generating the DeploymentRegistry.html and DeploymentRegistry.txt files as expected.

If you expect to run the ViewRegistry Report utility regularly then you might find it easier to create the file C:\Program Files\SAS\deploymntreg\ViewRegistry.bat containing the following:

@echo off
cd /d "%~dp0"
java -jar sas.tools.viewregistry.jar
pause

To run ViewRegistry.bat as an administrator, right-click over it in Windows Explorer and select the Run as administrator item from the pop-up menu:

SAS 9.2 Hot Fix Analysis, Download and Deployment Tool (SAS92HFADD)

The SAS92HFADD utility takes the output from the ViewRegistry Report utility and generates another report detailing the appropriate available hotfixes that have yet to be installed, together with scripts to download and install them.

SAS92HFADD for Windows is downloaded as a WinZip Self-Extractor (SAS92HFADDwn.exe). I ran this and got the following error:

It also needs to be run as an administrator. This can be done by right-clicking over the SAS92HFADDwn.exe file in Windows Explorer and select the Run as administrator item from the pop-up menu:

I now had the C:\Program Files\SAS\SAS92HFADD directory and files as expected. Into that directory I then dropped a copy of the DeploymentRegistry.txt file from a run of ViewRegistry Report utility. I actually missed this step the first time around and got the >> %%% ERROR: Unable to open DeploymentRegistry.txt error in the tool_log.txt file as explained in the SAS documentation.

Next I ran the C:\Program Files\SAS\SAS92HFADD\SAS92HFADD.exe utility. Initially it looked like it was working:

However, after a few seconds, the window closed and there were no additional files (not even a log file) in the C:\Program Files\SAS\SAS92HFADD directory. I immediately guessed this also needed to run as an administrator. I right-clicked over C:\Program Files\SAS\SAS92HFADD\SAS92HFADD.exe in Windows Explorer and select the Run as administrator item from the pop-up menu:

When it completed I had a new directory tree C:\Program Files\SAS\SAS92HFADD\WX6_1295740219 containing the following files as expected:

  • AnalysisReport\SAS_92_Hot_Fix_Report_WX6_1295740219.html
  • Log\tool_log.txt
  • DownloadTools\ftp_script.bat
  • DownloadTools\ftp_script.txt
  • DownloadTools\MD5_checksums.txt
  • DeployTools\WX6_install_script.bat

The AnalysisReport\SAS_92_Hot_Fix_Report_WX6_1295740219.html file is a report listing all of the available hotfixes that can be installed on the server (that haven’t already been installed):

The DownloadTools\ftp_script.bat file is an automatically generated script that can be run to download all the hotfixes identified in the report. I started out running this by double clicking on it in Windows Explorer. By this time I was almost certain that UAC would be a barrier, but as a learning experience I wanted to see how it would fail anyway. The following screenshot has the error message highlighted – at least there was an error message :)

I ran the FTP script again, this time by right-clicking over it in Windows Explorer and selecting the Run as administrator item from the pop-up menu:

The FTP script to download all the hotfixes ran successfully to completion this time. It took a while, as there were many hotfixes to download, but when it finished I had a bunch of hotfix executables in the DeployTools directory. Now it was time to install them.

To install the hotfixes I used the automatically generated DeployTools\WX6_install_script.bat script that silently installs each hotfix in turn. I started out running this by just double clicking on it in Windows Explorer. I guessed UAC would most likely block it, but once again I wanted to see how it would fail. It took a little while to complete, and appeared to be doing something without generating any errors, however when it had finished I could see by re-running the ViewRegistry Report utility that nothing had changed – no additional hotfixes had been installed.

I ran the install script again, this time by right-clicking over it in Windows Explorer and selecting the Run as administrator item from the pop-up menu:

I saw the command window open and all the commands flash by, possibly with errors, but way too fast for me to see – and also way too fast for the hotfixes to actually have been installed :)

The next method I tried, which worked this time, was to open a command prompt window as an administrator, change directory to the DeployTools directory and run the WX6_install_script.bat script:

The install script continued away for a while silently install each hotfix in turn:

Once the install script had completed, I went through the analysis report to ensure I did all of the outstanding manual tasks. I found the manual tasks by reading through the several linked documents in the analysis report that were tagged with a [D]. In this case it included upgrading metadata using the SAS Management Console, copying a plugins directory into a couple of locations, using the SAS Deployment Manager to rebuild a number of EAR files, and then redeploying the updated EAR files.

With all of this done I did a final check by re-running the ViewRegistry Report utility, copying over the new DeploymentRegistry.txt file, and then re-running SF92HFADD.exe. The resulting analysis report now had a nice green banner indicating that I was up to date with all of the available hotfixes.

Final Notes

This process assumes you want to install all of the available hotfixes. If your update strategy is to only install a subset of the hotfixes (such as those with alert notes) you can edit the generated ftp and install scripts to only download and apply those hotfixes you have targeted. The analysis report is a very useful document to help you determine what hotfixes are available for your platform/product mix that haven’t yet been installed. The report can also be used to help you chose which of those hotfixes are appropriate for your update strategy by reviewing the Issue(s) Addressed links.

Regarding UAC, at some point I also tried using a Windows Explorer (run as administrator) but found that the things it launched did not themselves run as administrator too. Looking back on it now, it probably would have been easier to avoid Windows Explorer completely and just use the administrative command prompt window (or PowerShell) – as my Microsoft oriented friend later suggested. I guess I could have also temporarily disabled UAC for the duration of this process and then re-enabled it afterwards. Taking this easy way out, however, would have meant I didn’t find out what I could and couldn’t do with UAC enabled, and I would have also missed out on the learning experience.

What I originally meant to be a reasonably short post has actually turned out to be much longer than I expected! If you’ve made it to the end and have any comments, or suggestions about alternative approaches, please let me know by leaving a comment below.

Resetting File Permissions in Windows Server 2008 R2

Today I needed to reset the permissions for a bunch of files in a directory on a SAS server (running Windows Server 2008 R2) so that they reverted back to the inherited permissions from the directory they were contained in (they currently had non-inherited explicit permissions for a particular user). There were too many to do by hand using point-and-click in the properties dialog so I switched to the command line.

In previous versions of Windows I had used the cacls command but I noticed in Windows Server 2008 the cacls command is deprecated and replaced with icacls. If you use the cacls command with no parameters to display the help, you will see the following message in its output:

...
NOTE: Cacls is now deprecated, please use Icacls.
...

The Microsoft TechNet site has documentation for the icacls command.

To reset an individual file’s permissions you can use:

icacls file.ext /reset

Using a wildcard to reset the permissions for a collection of files also works:

icacls *.ext /reset

Resetting the permissions on a file drops any specific/custom/explicit permissions on that file and reinstates the inherited permissions from the container/folder so that the file now only has the default inherited permissions.

Reviewing Installed SAS 9.2 Software and Hotfixes

If you’ve ever needed to review which SAS® software components have been installed on your SAS servers and clients, as well as know which hotfixes may have already been installed, then you will be interested in SAS Usage Note 35968: Using the ViewRegistry Report and other methods to determine the SAS® 9.2 software releases and hot fixes that are installed.

The usage note provides instructions detailing how you can use a Java-based SAS utility (sas.tools.viewregistry.jar) to generate HTML and text reports (DeploymentRegistry.html and DeploymentRegistry.txt) of the installed software and hotfixes. With SAS 9.1.3 I used to manually maintain (error-prone) spreadsheets with this information, so I am very happy to be able to automate it with SAS 9.2 and get reliable information.

Now that you have this information the next logical step would be to determine which hotfixes haven’t been installed, but might need to be, then download and install them…

Well, the even better news is that SAS Institute also provide the SAS 9.2 Hot Fix Analysis, Download and Deployment Tool (SAS92HFADD). SAS92HFADD is another utility that compares the currently installed hotfixes against a freshly downloaded list of currently available hotfixes for the software you have installed. It generates an HTML analysis report listing all of the appropriate hotfixes together with links to the list of issues, install instructions and download for each hotfix. It even adds annotations to those hotfixes that require a bit more attention because they have dependencies or post-installation instructions (like rebuilding and redeploying web apps). As well as the report you also get a script to download all of the hotfixes and another script to silently install them all. I was very impressed. I think I’m going to like using this utility :)

One thing that tripped me up when I first tried to run SAS92HFADD (because in my excitement I skimmed over the instructions too quickly), was that you need to manually run ViewRegistry to get a DeploymentRegistry.txt file to drop into the SAS92HFADD directory. It would be great if a future version did this automatically. I’d also be quite keen to see it all managed from a central admin console that reaches out to all the SAS servers and clients in an organization to collect this information and optionally push out selected hotfixes. Perhaps this could be a suggestion for the SASware Ballot?

For those who run SAS software on Windows Server 2008 R2, you might run into the same User Access Control issues I did, so I’ll do a follow up post specifically on using ViewRegistry and SAS92HFADD on Windows Server 2008 R2.

SAS Web Report Studio In-Process Scheduling Port Allocations for Lev1, Lev2 …

Today I was installing SAS 9.2 with the latest 4.3 web apps on Linux 64-bit (from a very new 920_11w03 depot). After successfully setting up a Lev1 environment I then went on to create a Lev2 environment (on the same machine). All was going ok until I got to the page in the SAS Deployment Wizard where you choose the SAS Web Report Studio: In-Process Scheduling Ports. This is what it looked like:

These ports (7570, 7571, 7572) looked very familiar. Checking my notes I saw that they were the very same ports from the Lev1 configuration. This was odd because I had specifically selected Lev2 in an earlier page and although all of my other ports were automatically incremented for a Lev2 environment (e.g. 8561 to 8562, 8591 to 8592 etc.) these ports were the same as the Lev1 ports.

This sounded like a recipe for a port clash so I needed to pick some alternative ports. I prefer to stick with standard well-known ports for SAS where I can, so I went looking for resources. I spent a fair amount of time searching but I finally found what I needed at the bottom of the the following page:
SAS(R) 9.2 Intelligence Platform: Web Application Administration Guide, Fourth Edition > SAS Web Report Studio Administration > Configuring SAS Web Report Studio > Modify Port Numbers for In-Process Scheduling in a Clustered Environment

The SAS document explains that SAS Web Report Studio 4.3 has 30 ports available in the range of 7560 to 7589. The defaults ports for Lev1 are 7570, 7571 and 7572 (as I saw in the installation) and incrementing blocks of 3 can be used for other levels. i.e. Lev2 would use 7573, 7573 and 7574 and so on. Based on my experience above I assume these assignments haven’t made it into the SAS Deployment Wizard as yet.

It is also possible to set the ports after the installation from with the SAS Management Console as explained at the end of the SAS document.

Armed with this info I drew up the following table I can refer to with future installations:

  In-Process
Scheduling
Port 1
In-Process
Scheduling
Port 2
In-Process
Scheduling
Port 3
Lev 1: 7570 7571 7572
Lev 2: 7573 7574 7575
Lev 3: 7576 7577 7578
Lev 4: 7579 7580 7581
Lev 5: 7582 7583 7584
Lev 6: 7585 7586 7587
Lev 7: 7588 7589 7560
Lev 8: 7561 7562 7563
Lev 9: 7564 7565 7566
Lev 0: 7567 7568 7569

You might notice in the Lev7 row that the third port drops down to 7560 rather than incrementing to 7590. I did this because the documentation suggests the range is only 30 ports from 7560-7589. I haven’t yet tried using a port outside that range to see what happens (I don’t know if WRS validates the port number before it uses it).

Now I have my Lev2 port numbers I can carry on with my installation.

Disabling the Ubuntu Login Screen (GDM) User Pick List

I’m used to typing in both my userid and my password when I log in to computers. I have never been a fan of the user pick lists that now seem to be common to many operating systems. I can see how they can be convenient for family machines at home, but the idea of advertising a list of potential accounts to compromise doesn’t sit well with me, so my preference is to disable the pick list and go back to the traditional typed userid & password form.

I run SAS on Ubuntu and recent Ubuntu versions (I forget which one it started with) now have a user pick list by default. The method for disabling the user pick list in Ubuntu is not that obvious and I find myself googling it every time I need it. A good article that provides both command line and GUI methods of disabling the user list can be found at Disabling the Login Screen User List in Ubuntu

The command line version is:

sudo -u gdm gconftool-2 --set --type boolean /apps/gdm/simple-greeter/disable_user_list true

This can be followed by a quick restart of GDM:

restart gdm

.. and the user pick list is no more.

With Lucid (Ubuntu 10.04 LTS) there is still a redundant login button that needs to be clicked before you get to type your user id, but it’s still better than before. There has been a bug lodged for this behaviour (GDM without user list requires that you click Log In) and it appears to have been fixed so I look forward to seeing it when I next upgrade.