Installation Instructions for Hot Fix E5U001
Linux for x64
Hot fix E5U001 addresses the issue(s) in SAS Threaded Kernel Secure 9.4_M6 on Linux for x64 as documented
in the Issue(s) Addressed section of the hot fix download page:
https://tshf.sas.com/techsup/download/hotfix/HF2/E5U.html#E5U001
The hot fix downloaded, E5U001la.zip, contains the updated files required to address
the documented issues.
Do NOT extract the contents of E5U001la.zip. The hot fix installation process will extract
the contents as needed.
IMPORTANT NOTES
-
You must have SAS Threaded Kernel Secure 9.4_M6 installed on your system before applying this hot fix.
Refer to SN-35968 for instructions on how to determine which product releases you have installed.
-
Files delivered in this hot fix will be backed up during the installation process.
However, it is good general practice to back up your system before applying updates
to software.
-
You must have Administrator Privileges on your CLIENT or SERVER machine.
-
All currently active SAS sessions, daemons, spawners and servers must be terminated
before applying this hot fix.
- This hot fix should be installed using the same userid who performed the initial
software installation.
-
CONFIGURATION: No automatic configuration scripting is included for this hot fix. If you have previously configured software installed,
the SAS Deployment Manager may present a screen where you will see "Apply SAS Hot Fixes" and "Configure SAS Hot Fixes" options.
On this screen, you must ensure that the "Configure SAS Hot Fix" option is *not* selected. If this option is automatically
selected, please de-select it prior to proceeding with the SAS Deployment Manager Screens. Failure to do so could have unintended
consequences when applying this hot fix.
INSTALLATION
The E5U001 hot fix for SAS Threaded Kernel Secure 9.4_M6 will be installed using the SAS Deployment Manager.
By default, the SAS Deployment Manager will search in the <SASHOME>/InstallMisc/HotFixes/New directory for hot
fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different
directory.
After downloading E5U001la.zip, follow the instructions for applying hot fixes in the
SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide.
Please review the CONFIGURATION Important Note above concerning proper selection of the "Configure SAS Hot Fix" option in the SAS Deployment Manager.
The content of this hot fix is listed in the hot fix manifest.
POST-INSTALLATION INSTRUCTIONS
Supported Systems and requirements
This hotfix and instructions apply to Linux only.
MIT Kerberos 1.11.6 or later is required. If the operating system does not provide a supported version, the source code can be
downloaded from
https://web.mit.edu/kerberos/dist/index.html.
This will require building the source code and installing the new libraries. Build and install instructions can be found under
the “Documentation” link on the release page for the chosen version.
Heimdal and Quest are currently not supported.
Prerequisites
Prior to enabling Kerberos Constrained Delegation, SAS servers and spawners must first be configured for Kerberos
(Integrated Windows Authentication). Instructions can be found in the SAS® 9.4 Intelligence Platform: Security Administration Guide,
Third Edition.:
https://go.documentation.sas.com/api/docsets/bisecag/9.4/content/bisecag.pdf
To fully enforce constrained delegation, additional configuration steps are required in Active Directory. This must be completed by a
Domain Administrator with the “Active Directory Users and Computers” tool. Each Kerberos protected resource (e.g., Microsoft SQL Server)
that a SAS Workspace Server can connect to must be defined against the account being configured for constrained delegation. If the SAS
Object Spawner is running under the “Local System” account, then the services are defined under the Computer Object for the SAS Object
Spawner Server. If the SAS Object Spawner is running under a Domain Account, then the services are defined under this account. In the
Delegation tab of the account properties in “Active Directory Users and Computers”, select “Trust this computer for delegation to
specified services only” and “Use any authentication protocol”, then add each service the SAS Workspace Server can connect to.
Post Installation Instructions
Installation of this hotfix does not enable constrained delegation support in SAS by default. After installing the hot fix, complete
the steps here to enable constrained delegation support in SAS.
- The SAS_CONSTRAINED_DELEG_ENABLED environment variable must be set to “1” in <SASCONFIG>/Lev#/level_env_usermods.sh. If SAS Workload
Orchestrator is installed, then also set SAS_CONSTRAINED_DELEG_ENABLED in <SASCONFIG>/Lev#/Grid/sgmg_usermods.sh on all grid worker nodes.
SAS_CONSTRAINED_DELEG_ENABLED=1
export SAS_CONSTRAINED_DELEG_ENABLED
- Setting the Service Principal Name (SPN) Environment Variable
- If using the default SPN and a SPN based keytab, then no additional steps are required. The default SPN for SAS Server-tier services
is SAS/<FQDN of host>. FQDN is the fully qualified domain name of the host. The default SPN for SAS Workload Orchestrator is
HTTP/<FQDN of host>.
- If using a non-default SPN and a SPN based keytab is used, then the SAS_SERVICE_PRINCIPAL environment variable must be set to the
desired SPN. For SAS Servers, this should be set in <SASCONFIG>/Lev#/level_env_usermods.sh. If SAS Workload Orchestrator is installed,
then the environment variable must also be set in <SASCONFIG>/Lev#/Grid/sgmg_usermods.sh. For example,
SAS_SERVICE_PRINCIPAL=MYSAS/my_sas_server.com
export SAS_SERVICE_PRINCIPAL
- If using User Principal Name (UPN) based keytab files, the SAS_SERVICE_PRINCIPAL environment variable must be set to the
user/service account that matches the UPN. For SAS Servers, this should be set in <SASCONFIG>/Lev#/level_env_usermods.sh. If SAS
Workload Orchestrator is installed, then the environment variable must also be set in <SASCONFIG>/Lev#/Grid/sgmg_usermods.sh on all grid
worker nodes. For example,
SAS_SERVICE_PRINCIPAL=sas-services@REALM.COM
export SAS_SERVICE_PRINCIPAL
- Restart the SAS spawners and servers.
<SASCONFIG>/Lev#/sas.servers restart
This completes the installation of hot fix E5U001 on Linux for x64.
Copyright 2019 SAS Institute Inc. All Rights Reserved.