|Communications Access Methods for SAS/CONNECT and SAS/SHARE Software|
As an alternative method to signing on to a remote session by using a TSO sign-on script, the OS/390 spawner program initiates SAS/CONNECT sessions on OS/390 systems without requiring that username and password pairs be passed over the network in clear text mode.
If the local SAS session is running Release 6.09E or a subsequent release or Release 6.11 TS040 or a subsequent release, all data that flows from the local host to the spawner program during sign on is encrypted by default.
The OS/390 spawner program supports encrypted sign ons, by default, to an OS/390 system with or without scripts.
The OS/390 spawner runs as an OS/390 started task. It uses OS/390 Unix System Services, and you must be running OS/390 Version 2 Release 4 or later. The spawner program requires APF-authorization. To start the OS/390 spawner, enter the following operator console command:
This command activates the started task procedure. An example of this procedure follows:
//SPAWNER EXEC PGM=SASTCPD, // PARM=(' =<//DDN:PARMS') //STEPLIB DD DISP=SHR,DSN=SAS.SPAWNER.LOAD //SYSPRINT DD SYSOUT=A //SYSTERM DD SYSOUT=A //PARMS DD DISP=SHR,DSN=SAS.SPAWNER.PARMS
Here is the syntax to configure the OS/390 spawner program:
If you start a spawner with the -INHERITANCE option, you then define the port that the spawner is listening on to the firewall and map it to the server machine's port. This will enable any number of SAS/CONNECT clients to connect through this single port and SIGNON to a remote host on the inside of the firewall. Each client just opens a unique socket on the defined port. This eliminates the need to define an individual port for each client that may need to come in through the firewall. In this configuration you set your REMOTE= value to a two-level name where the first level is the name of the host running the firewall and the second level is the well-known service name of the port that you have enabled for connections.
Set this option at the remote host and, optionally, at the local host to specify one or more encryption algorithms to use in a SAS/CONNECT session. However, the local host and the remote host must share an encryption algorithm in common. If you specify the option in the remote host session only, the local host attempts to select an algorithm that was specified at the remote host. If you also set the option at the local host and specify an algorithm that is not specified at the remote host, the local host's attempt to connect to that remote host fails when the local host assigns a library.
Valid values for this option are
See the SAS/CONNECT User's Guide or the SAS/SHARE User's Guide for more information about the -NETENCRALG option.
The default for this option is that encryption is used if the -NETENCRALG option is set and if both the local host and the remote host are capable of encryption. If encryption algorithms were specified but either the local host or the remote host is incapable of encryption, then encryption will not be performed.
Encryption may not be supported at the local host or the remote host for the following reasons:
See the SAS/CONNECT User's Guide or the SAS/SHARE User's Guide for more information about the -NETENCRYPT option.
Valid values for this option are
|128||specifies 1024-bit RSA and 128-bit RC2 and RC4 key algorithms.|
|40||specifies 512-bit RSA and 40-bit RC2 and RC4 key algorithms.|
|0||no value is set. This is the default.|
If you require extra security, then set the -NETENCRKEY option to 128. If you prefer to save CPU, then set the -NETENCRKEY option to 40.
By default, if you try to connect a host that is capable of only a 40-bit key length with a host that is capable of both a 40-bit and a 128-bit key length, then the connection is made using the lesser key length. If both hosts are capable of 128-bit key lengths, then a 128-bit key length is used.
See the SAS/CONNECT User's Guide or the SAS/SHARE User's Guide for more information about the -NETENCRKEY option.
This option may be set at either the local host or the remote host. The default is -NETMAC.
See the SAS/CONNECT User's Guideor the SAS/SHARE User's Guide for more information about the -NETMAC option.
For the TCP/IP access method, the spawner program requires a script file, or it will verify the supplied userid and the password. This option requires that the user set security in the local SAS session prior to sign on. For details about setting security (for example, by means of the USER= and PASSWORD= options in an appropriate statement), see Setting Security for SAS/CONNECT and SAS/SHARE.
If you use the -NOSCRIPT option, you must also use the -SASCMD option.
The service name must be defined identically in the SERVICES file on both the local and remote hosts. See Configuring the SERVICES File for more information about the SERVICES file.
|Examples of Starting and Connecting to the OS/390 Spawner Program|
The following examples illustrate how to start the spawner program and how to connect to it.
The following OS/390 command starts the spawner program at the remote
OS/390 host with the service-name
spawner and allows clear-text sign ons from local hosts that use a
It uses the following PARMS file:
-service spawner -cleartext
At an OS/390 local host, the following statements specify a script file
tcpmvs.scr that makes a connection to the spawner
program on the system RMTHOST, which is listening on the port that is named
spawner. The value for REMOTE=
is the name of the OS/390 node, or it can be a macro variable that contains
the Internet address of the OS/390 node where the spawner program is running.
options comamid=tcp; filename rlink '!sasroot\connect\saslink\tcpmvs.scr'; signon rmthost.spawner;
Note: Do not use the return key to break the line that specifies the
filename; continue typing the statement on a single line.
The following OS/390 command starts the spawner program at the remote OS/390 host.
It uses the following configuration file:
-service spawner -inheritance -noscript -netencralg rc2 -netencralg des -sascmd "SAS OPT('DMR,COMAMID=TCP,NOTERMINAL')"
At an OS/390 local host, the TCP/IP access method is used to connect
to the remote host named RMTHOST, which must be either the node name of the
OS/390 node or a macro variable that contains the Internet address of the
OS/390 node where the spawner program is running. The USER= option in the
SIGNON statement prompts the user for a userid and password when connecting
to RMTHOST on which the OS/390 spawner program named
options comamid=tcp; signon rmthost.spawner user=_prompt_ ;
|Ending the OS/390 Spawner Program|
To stop the spawner, enter the following system command:
Top of Page
Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.