Tag: SAS Configuration

Interesting SAS 9 Metadata Server Access Control Loggers

In my previous post on Finding Interesting SAS 9 Loggers, I highlighted 3 loggers I find useful for SAS 9 metadata access control change auditing, especially when using the new Metacoda Plug-ins 6.2 Activity Reviewer. There is also a 4th logger where you might already have trace level logging enabled, as it is configured so when you set up the SAS Environment Manager Service Architecture Audit, Performance, and Measurement (APM) component. In this post I want to go into more detail on each of those 4 loggers and explain what information they log and why I find them useful.

SAS Management Console Server Manager Logger Dialog

The loggers in question are:

  • Audit.Meta.Security.AccCtrlAdm
  • App.OMI.SecurityAdmin.SetAuthorizationsOnObj
  • App.OMI.SecurityAdmin.ApplyACTToObj
  • App.OMI.SecurityAdmin.RemoveACTFromObj

Continue reading “Interesting SAS 9 Metadata Server Access Control Loggers”

Finding Interesting SAS 9 Loggers

SAS 9 server log files contains lots of useful information to help you monitor, audit, and troubleshoot the usage of your SAS 9 platform deployments. However, sometimes the information you need might not be there by default. Thankfully the SAS 9 Logging Facility is flexible and allows a wide range of configuration customizations. Usually this is done by modifying the logconfig.xml file for the SAS server of interest, such as the SAS Metadata Server. This config file is normally only read when the SAS server restarts so you might not want to keep restarting a heavily used server to test out your logging config changes. This is where the SAS Management Console Server Manager plug-in shines. You can use it to connect to a SAS server, view all of the available loggers, change their logging levels, and have those changes take effect immediately without a server restart. If you find loggers and levels that give you the information you need, you can then update the config file and have the server restarted at a much more convenient time.

You can find the SAS documentation for this under Using SAS Management Console to Monitor SAS Servers. In this post I show how I use it to find interesting SAS metadata Server loggers. Continue reading “Finding Interesting SAS 9 Loggers”

Configuring Metacoda Identity Sync Utils for AutoCall

I needed to extract some SAS identity related metadata today using the Metacoda Identity Sync Utils on GitHub. That repository contains some macros we publish to help our customers and partners when they need to get hold of some identity related metadata in SAS tables for custom Identity Sync processing or other reporting requirements (if the standard SAS %MDUEXTR macro doesn’t meet their needs).

Since I use these macros on a semi-regular basis, I decided to make them available to the SAS platform as autocall macros so I could just use them in my SAS code without having to remember where they were stored and %include them. I thought I’d post some brief notes on how to set it up in case you want to do the same (and for when I need it on another SAS platform installation). Continue reading “Configuring Metacoda Identity Sync Utils for AutoCall”

Did I add that CA Certificate to the SAS Trusted CA Bundle?

Sometimes I forget whether I’ve added our internal site root and intermediate CA certificates to the Trusted CA Bundle that SAS® Software applications use. Sometimes I also forget the command I can use to find out whether I did! ;) As is often the case with my blog posts, by jotting things down here, I can find them again either by searching this blog, or more likely, by remembering I wrote it when I see it turn up in Google search results!

If you use site-signed certificates from your own internal CA in your SAS platform installations then you’re probably already familiar with adding them to the Trusted CA Bundle using the SAS Deployment Manager (see the Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager section in the Encryption in SASĀ® 9.4 book for more info).

If you want to find out what CA certificates are already in that bundle you can use the Java keytool command like so:

/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit

It generates a long list of CA certs, so I pipe it through grep to look for the ones I want:

/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit | grep -i metacoda

If you want more details on the certificates you can Continue reading “Did I add that CA Certificate to the SAS Trusted CA Bundle?”

Suppressing SAS Workspace Server MVA_DSIO.OPEN_CLOSE and _DISARM Messages

This is just a very quick post to jot down the location of a SAS reference that I keep losing! I have the SAS Audit, Performance and Measurement (APM) package installed in my older SAS 9.4 M0 dev/test environment. The APM package is now deprecated as the functionality has moved into SAS Environment Manager (from 2.4). One of the effects of having APM installed is that my SAS Workspace Server logs have a huge number of lines that look like this: 

NOTE: MVA_DSIO.OPEN_CLOSE| _DISARM|         STOP| _DISARM| 2016-07-31T15:44:27,279+10:00| _DISARM| WorkspaceServer| _DISARM| | 
      _DISARM| | _DISARM| | _DISARM| 9854976| _DISARM| 12| _DISARM| 12| _DISARM| 320| _DISARM| 1840| _DISARM| | _DISARM| | _DISARM| 
      | _DISARM| | _DISARM| | _DISARM| | _ENDDISARM 
NOTE: PROCEDURE| _DISARM|         STOP| _DISARM| 2016-07-31T15:44:27,279+10:00| _DISARM| WorkspaceServer| _DISARM| | _DISARM| | 
      _DISARM| | _DISARM| 9854976| _DISARM| 12| _DISARM| 12| _DISARM| 728| _DISARM| 1840| _DISARM| | _DISARM| | _DISARM| | _DISARM| 
      | _DISARM| | _DISARM| | _ENDDISARM

Sometime I want to suppress those lines (without uninstalling SAS APM). I then remember there’s a SAS page that contains instructions on how to do it, and spend several minutes trying to find it. I keep looking for a SAS Usage Note, but instead it’s a gem at the end of the SAS APM FAQ page: “Why do the Enterprise Guide SAS logs contain messages related to MVA_DSIO.OPEN_CLOSE and _DISARM? How can these messages be eliminated from the SAS log for EG users?”.

Essentially you edit the workspace server’s logconfig.apm.xml and change the Threshold of the WSLogAppender to Error.

You’ll want to pay attention to the note in the FAQ that says it will disable the SAS DI Studio Job Statistics features. I don’t use that feature in this environment, but you might!