How to Increase Encryption Strength for Outbound Passwords in Transit :: SAS(R) 9.3 Intelligence Platform: Security Administration Guide

About Outbound Passwords and Over-the-Wire Encryption

A password is outbound when a client retrieves the password from the metadata in order to provide seamless access to a server such as Oracle. The password is outbound from the perspective of the metadata server. Connections to third-party servers often use outbound passwords. Most other connections don't use outbound passwords.

In the initial configuration, outbound passwords are transmitted in SAS002 format (SASProprietary encryption). If you have licensed SAS/SECURE, you can choose to increase the encryption strength for outbound passwords to SAS003 (AES encryption).

Upgrade to RETURNPASSWORDS=SAS003

To increase encryption strength for outbound passwords (if you have SAS/SECURE):

Edit the metadata server's omaconfig.xml file to change the initial setting, RETURNPASSWORDS="SAS002", to the more secure setting, RETURNPASSWORDS="SAS003". The metadata server's omaconfig.xml file is located in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/.
Restart the metadata server.
Verify that server connections continue to function as expected. If you encounter problems, either review the following topics or revert to RETURNPASSWORDS="SAS002".

RETURNPASSWORDS=SAS003 and Compatibility

Almost all connections are compatible with SAS003 passwords, because almost all connections involve a SAS server and SAS servers can decode SAS003 passwords. For example, connections from SAS Information Map Studio to an Oracle server go through a workspace server. The workspace server decodes the outbound Oracle password.

However, a few specialized connections run directly from a Java client or .NET client to a third-party server. These clients can't decode SAS003 passwords. This is a deliberate limitation that reduces security exposures. Of course, a third-party server can't decode SAS003 passwords either. As a result, such connections fail if they attempt to use a password that is in SAS003 format. Here are some specific types of connections that can't use a SAS003 password (the list isn't exhaustive):

Connections from a Java client or .NET client to an Esri server.

Note: The Esri server uses host authentication. If possible, avoid the use of outbound passwords by locating this server on a machine that recognizes the accounts with which users log on to SAS applications. This facilitates use of cached credentials to access the Esri server.
Connections from a Java client or .NET client to a nonstandard WebDAV server. A nonstandard WebDAV server is any server other than the SAS Content Server or Xythos.
Certain connections within the following solutions:
- SAS Profitability Management
- SAS Activity-Based Management
- SAS Merchandise Intelligence
- SAS Model Manager (in some configurations)

Accommodating Connections That Can't Use SAS003 Passwords

If you have SAS/SECURE but your deployment requires connections that are incompatible with SAS003 passwords, choose either of the following approaches:

Simply preserve the initial setting of RETURNPASSWORDS="SAS002".

Note: With the default settings for sites that have SAS/SECURE (STOREPASSWORDS="SAS003" and RETURNPASSWORDS="SAS002"), outbound passwords are stored in SAS003 format and downgraded to SAS002 format before they are transmitted.
Set RETURNPASSWORDS="SAS003", but also selectively force the outbound passwords for the problematic connections to be transmitted in SAS002 format. To force a particular password to be transmitted in SAS002 format, store that password in that format. A password that is stored in SAS002 format is transmitted in that format even if RETURNPASSWORDS="SAS003", because the metadata server doesn't upgrade the encryption strength of a stored password when the password is transmitted.

To use this approach:
1. In the metadata server's omaconfig.xml file, set STOREPASSWORDS="SAS002". Restart the metadata server.
2. In SAS Management Console, under User Manager, locate and select the login that contains the outbound password. The login is on the Accounts tab of a user or group definition.
3. Click Edit. In the Login Properties dialog box, enter and confirm the password. Click OK to close the Login Properties dialog box. Click OK again to close the user or group properties dialog box.
  
  Note: This stores the password in the metadata in SAS002 format.
4. Repeat steps 2 and 3 for any other problematic outbound passwords.
5. In the metadata server's omaconfig.xml file, set STOREPASSWORDS="SAS003" and RETURNPASSWORDS="SAS003". Restart the metadata server.
6. Verify that server connections continue to function as expected.
Note: If you update the SAS002 passwords, you must repeat the process so that the new password is stored in SAS002 format.