Tuesday, May 24, 2011

Using SAS92HFADD behind a “tough” firewall using CURL


As I have mentioned previously in Using SAS92HFADD behind a firewall, the SAS 9.2 Hot Fix Analysis, Download and Deployment tool is a great utility for the SAS Admin to help keep their SAS environment up to date with all the latest hot fixes from SAS.  I routinely implement this as part of deploying SAS, and in most cases the tweaks I mention in my previous blog post are all that is needed.  Unfortunately during one deployment I was faced with an outbound proxy/firewall that required Windows authentication…

The Problem

The organisation I was working with required all outbound internet traffic to pass through an authenticated proxy/firewall server.  For normal internet access from a PC this all happens seamlessly via their Windows network. i.e. A user logs into their PC using their Windows credentials and then any network resource requiring authentication would negotiate using those credentials “behind the scenes” – probably using NTLM, SSPI or Kerberos.  The SAS92HFADD tool uses the File Transfer Protocol (FTP) and the command line FTP client provided with Windows doesn’t support using proxy servers nor can it negotiate using NTLM, SSPI or Kerberos (that I know of).  The solution that I chose was to use CURL – an open source command line tool for transferring files via a number of protocols (FTP, HTTP, etc.) that also supports proxies and authentication.

I have only done this on Windows servers, but I’m sure the same basic premise should work on Unix/Linix servers to get through a Windows based proxy/firewall as well.

Windows

1. Download the SAS92HFADD package

The download is a self extracting archive which when run will provide three files:
  • SAS92HFADD.exe
  • SAS92_hot_fix_data_ftp_download.bat
  • SAS92_hot_fix_data_ftp_download_script.txt

2. Download CURL

CURL can be downloaded from http://curl.haxx.se/download.html. The CURL package that you download should have the SSPI option compiled into it.  The package that I used was  Win32 2000/XP  7.21.6 binary by G√ľnter Knauf 1.32 MB.
image

3. Extract the CURLy bits

The CURL ZIP file that you downloaded has four files that you need to extract into the SAS92HFADD directory:
  • curl.exe
  • libcurl.dll
  • libeay32.dll
  • libssl32.dll
image
Your SAS92HFADD directory should look like this:
image

4. Modify SAS92_hot_fix_data_ftp_download.bat

Replace the entire contents of this file with the following single line:
curl -U : -x internetproxy:8080 --proxy-ntlm -o SAS92_hot_fix_data.xml http://ftp.sas.com/techsup/download/hotfix/HF2/util01/SASHotFixDLM/data/SAS92_hot_fix_data.xml
internetproxy:8080 should be the name and port of your proxy server

5. Run SAS92HFADD.EXE

After adding the DeploymentRegistry.txt file into the sas92hfadd directory, the next thing I did was open a command prompt (cmd.exe), change into the sas92hfadd directory and execute the sas92hfadd program:
image
This will connect to SAS and do it’s magic, resulting in a time-stamped subdirectory containing the AnalysisReport, DownloadTools, DeploymentTools and Logs directories.

6. Modify ftp_script.txt

Navigate into the DownloadTools directory and you should find the following files:
image
Open ftp_Script.txt in your favourite text editor and get ready for some search + replace fun!
Here is my file before any changes:
image
The first string we want to find is:
get techsup
This should be replaced with the following (changing internetproxy:8080 to your proxy and port): curl -U : -x internetproxy:8080 --proxy-ntlm http://ftp.sas.com/techsup
The above string is all one line.
The second string to change is:
..\
This should be replaced with:
-o ..\
There is a SPACE between “-o” and “..\”.
The next step is not a simple search and replace, but changing the first four lines of the file from:
open ftp.sas.com anonymous SAS92HFADD@sas.com binary
to:
@echo off set PATH=..\..;%PATH%
And finally, removing the last line that contains “quit”.
The final file looks like:
image
Now we can save this file as “curl_script.bat”
image

7. Download the Hot Fixes

Now we can execute the curl_script.bat file (instead of the ftp_script.bat file) to download our hot fixes.

image

8. BAU

From here on it is Business As Usual Winking smile

The above is all “experimental” as I have only had to go to these lengths on one customer site – your mileage may vary, but I hope if you do come across this situation these steps will help you develop your own solution.