1. Installation Guide
  2. Database Tier
  3. Integrate SAS (Optional)
  4. Install SAS on a UNIX Computer

Install SAS on a UNIX Computer

In this section:

Parent topic: Integrate SAS (Optional)

Modify SAS 9.4 and opa_settings on UNIX

Oracle Clinical supports SAS 9.4. You can validate your Oracle Clinical installation, and then upgrade to SAS 9.4 later. The SAS/ACCESS Interface to Oracle requires Oracle SQL*NET on the computer with the SAS software installation.

Follow these instructions on the SAS server—whether SAS is on the same computer or a different one from Oracle Clinical.

Parent topic: Install SAS on a UNIX Computer

Prepare the SAS Template File

Make the following modifications to the SAS template file:

  1. Copy the SAS template file from OPA_HOME/oc/522/tools to OPA_HOME/bin.
  2. Open the SAS file in a text editor and find this text string:
    <path_to_SAS_executable>
  3. Replace the string with the actual SAS executable path; for example:
    /root/SAS94/SASFoundation/9.4/sas $*
  4. Save your work.

Parent topic: Modify SAS 9.4 and opa_settings on UNIX

Edit the opa_settings File

To use SAS 9.3 with Oracle Clinical on a UNIX platform:

  1. Navigate to the following directory:

    OPA_HOME/bin

  2. Open the opa_settings file.
  3. Change the value of the SASORA environment variable from V8 to V9. For example:

    db_env_setting:_DEFAULT_:SASORA:V9

    You can use the scope to apply your change only to certain databases. In the following example, all databases use the V9 SAS/ACCESS engine with the exception of database OC45, which uses the V8 engine.

    db_env_setting:OC45:SASORA:V8

Parent topic: Modify SAS 9.4 and opa_settings on UNIX

Set Up a SAS Connection

You can set up a SAS connection to the Oracle database in two ways—using Oracle Wallet or SAS encryption. During installation, the database Installer prompts you for the SAS_CONNECTION value and adds it to the OCL_STATE reference code list. The short value is SAS_CONNECTION and the long value can be either ORACLE_WALLET or SAS_ENCRYPTION.

Oracle Wallet

This is the default option.

If your SAS server is the same as the database server, and you set ORACLE_WALLET as the long value, the SAS connection is set up automatically.

If your SAS server is on a different machine from the database and you want to use ORACLE_WALLET, it is not necessary to install the Oracle Clinical server on the SAS server machine as long as you are able to connect to the database after you log in as opapps.

On the SAS server:

  1. Log on as opapps.
    • If the Oracle Clinical database server is not installed on the same machine, set the environment variables in .cshrc so you can connect to the database using SQL*Plus.
    • If the Oracle Clinical database server is installed on the same machine,
  2. Set up the Oracle Wallet on the SAS server. See Create an Oracle Wallet and Generate a Certificate Request.
  3. Create an opapps account in the same was you did on Database Server with default shell C Shell. See Create the opapps Account and Add It to Groups.
  4. Enter the SAS server in the OCL_STATE reference codelist for short value REMOTE_SAS_SERV. See the Oracle Clinical Administrator's Guide for information.

SAS Encryption

To set up a SAS connection using SAS encryption:

  1. Log in to the database as the system user and create a database account:

    create user sas_proxy_user

    For example, abc123

  2. Grant proxy connection for the database user account:

    alter user <oc user> grant connect through <sas_proxy_user>

  3. Log in to the PSUB server as RXC_SAS_VIEW owner and run the commands:

    opa_setup <dbname> <codenv>

    cd $RXC_SAS_VIEW

  4. Create a SAS file with the following content: 
    filename pwfile 'sas_proxy_password_encoded_file';
proc pwencode in='abc123' out=pwfile method=sas002;
run;
  5. Run the file created in Step 4. This creates the sas_proxy_password_encoded_file which stores the encrypted password of the sas_proxy_user db user.
  6. Remove the file created in Step 4.
  7. Run the SAS files.

    The sas_proxy_user does not have create session privileges and so cannot be directly connected through an SQL*Plus session.

    Other OS users can run SAS jobs from their accounts if they have read access to the path $RXC_SAS_VIEW. In other words, if the OS user belongs to the oclsascr group.

Parent topic: Modify SAS 9.4 and opa_settings on UNIX

Additional Modifications for Oracle Solaris

This section describes Oracle Solaris-specific installation issues.

LD_LIBRARY_PATH

On Oracle Solaris, in previous releases of Oracle Clinical and versions of SAS before 8.2, you had to configure a script in OPA_HOME/bin that intercepted the SAS command to set some additional environment variables. The script then called the actual SAS executable. In Oracle Clinical, the SAS script file includes a step that points to the 32-bit libraries.

SAS/ACCESS Error with Oracle Database 11g

Using Oracle Database 11g may cause an error with SAS/ACCESS to Oracle. When using SAS/ACCESS to Oracle's SQL Pass Through Facility or Libname engine, you may receive an error similar to this one:

error: ld.so.1 sas: fatal: libclntsh.so.9.0:        open failed: no such file or directory

To work around this problem:

  1. Create a link from libclntsh.so.11.0 to libclntsh.so.9.0.
    ln -s libclntsh.so.12.0 libclntsh.so.9.0

Parent topic: Modify SAS 9.4 and opa_settings on UNIX

Install SAS on the Same UNIX Computer as Oracle Clinical

Oracle recommends installing SAS on the same server computer as the Oracle Clinical database server installation.

For more information, see:

Parent topic: Install SAS on a UNIX Computer

Set REMOTE_OS_AUTHENT to FALSE

To set REMOTE_OS_AUTHENT to FALSE:

  1. Verify that the REMOTE_OS_AUTHENT initialization parameter is set to FALSE for the Oracle Clinical database instance in the init.ora file.
    REMOTE_OS_AUTHENT=FALSE

Parent topic: Install SAS on the Same UNIX Computer as Oracle Clinical

Set Up a SAS Connection

You can set up a SAS connection to the Oracle database in two ways—using Oracle Wallet or SAS encryption. The Oracle Clinical Installer sets the SAS_CONNECTION value in the OCL_STATE reference codelist to ORACLE_WALLET.

Oracle Wallet

This is the default option. The SAS connection is set up automatically.

SAS Encryption

Manually set SAS_ENCRYPTION as the SAS_CONNECTION long value in the OCL_STATE local reference codelist. In addition:

  1. Log in to the database as system user and create the sas_proxy_user database account:

    create user sas_proxy_user identified by <password>;

  2. Grant proxy connection for each database user account who needs to submit SAS Data Extract jobs:

    alter user <oc user> grant connection through sas_proxy_user

    OR

    Run the script ocl_grant_revoke_sas_proxy_user.sql in the install directory to grant or revoke user connections through proxy account sas_proxy_user

  3. Log in to the PSUB server as RXC_SAS_VIEW owner and set the environment:

    • C shell:
      opa_setup database_name code_environment
    • Bourne shell:
      p1 = database_name
p2 = code_environment
. opa_setup
  4. Run the command:

    cd $RXC_SAS_VIEW

  5. Create a temporary SAS file named pwd.sas to contain the password for the sas_proxy_user account: 
    filename pwfile 'sas_proxy_password_encoded_file';
proc pwencode in='password' out=pwfile method=sas002;
run;
  6. Run the file created in Step 4 to encrypt the file. This creates the sas_proxy_password_encoded_file which stores the encrypted password of the sas_proxy_user db user (where pwd.sas is the name of the temporary file you created):
    • In UNIX:

      sas pwd.sas

    • In Windows:

      sas pwd.sas -sysin

  7. Remove the file created in Step 4.
  8. Run the SAS files.

Parent topic: Install SAS on the Same UNIX Computer as Oracle Clinical

Install SAS on a Different UNIX Computer from Oracle Clinical

Oracle recommends installing SAS on the same UNIX server computer as the Oracle Clinical database server installation.

If you choose to install SAS on a UNIX server computer different from that of the Oracle Clinical database server installation, it must be on the same intranet and you need to set up a connection to SAS.

For more information, see:

Parent topic: Install SAS on a UNIX Computer

Establish the Connection to SAS on a Different Computer

Note:

The procedures in this section uses secure shell (ssh) to establish the connection to SAS.

To set up SAS on a different UNIX server computer:

Parent topic: Install SAS on a Different UNIX Computer from Oracle Clinical

NFS
  1. Use Network File System (NFS) protocol to make the directory on the Oracle Clinical server pointed to by the $RXC_USER /sas_view visible to the SAS server.
  2. Export this directory with write privileges because the SAS scripts generated by Oracle Clinical produce SAS view descriptors that are created in this directory tree.

Note:

By default, the $RXC_USER environment variable is the opapps home directory.
Create opapps on the SAS Server
  1. Create the opapps UNIX user account on the SAS server.
  2. Create a group for opapps and put it in the group.
  3. Link /etc/group with /etc/logingroup on the SAS server if it is not the primary group for opapps.
Check init.ora
  1. Open the init.ora file.
  2. Verify that the REMOTE_OS_AUTHENT initialization parameter is set to FALSE for the Oracle Clinical database instance in the init.ora file:

    REMOTE_OS_AUTHENT=FALSE

See the Table 2-3 table for more information.

Create a Shell Script

Create a shell script that forces a "SAS" invocation on the Oracle Clinical database server to run as a remote shell on the SAS server that invokes the SAS engine, passing it the name of the SAS file:

  1. Create the shell script on the Oracle Clinical database server in a publicly visible directory, such as opapps/bin.
  2. Name the script sas.
  3. Set the protection mode to 755.
  4. Insert code lines into the SAS file.
    #!/bin/sh
RXC_LOG1=log_path_on_the_SAS_server
SASDIR=`dirname $3`
FILENAME=`basename $2`
LOGNAME=$RXC_LOG1$FILENAME
ssh server_name /bin/sh -c ". .profile;setenv 
TNS_ADMIN $HOME ;setenv ORACLE_HOME 
oracle_home_on_sas_server;cd $SASDIR ; 
path_to_sas_script_on_SAS_server -log $LOGNAME $3 $4 $5 $6 "

    Where:

    • RXC_LOG1 is the path of the log directory in the SAS server
    • SASDIR is the directory RXC_SAS_VIEW where SAS view is created and folder is NFS mounted; comes as input
    • FILENAME is the SAS log file name; comes as input
    • server_name is the SAS server connected through ssh
    • path_to_sas_script_on_SAS_server is the sas file created in the OPA_BIN directory on the SAS server

    For example:

    #!/bin/sh
RXC_LOG1=/pharm/home/opapps/log
SASDIR=`dirname $3`
FILENAME=`basename $2`
LOGNAME=$RXC_LOG1$FILENAME
ssh opapps@server_name /bin/sh -c ". .profile;setenv 
TNS_ADMIN $HOME ;setenv ORACLE_HOME 
/u01/app/oracle/product/12.0.0.1;cd $SASDIR ; 
/home/opapps/bin/sas -log $LOGNAME $3 $4 $5 $6 "

Set Up SAS Security on a Different Computer

You can set up a SAS connection to the Oracle database in two ways—using Oracle Wallet or SAS encryption. The Oracle Clinical Installer sets the SAS_CONNECTION value in the OCL_STATE reference codelist to ORACLE_WALLET.

Oracle Wallet

This is the default option. You do not need to change the OCL_STATE reference codelist SAS_CONNECTION value, but you must enter the SAS server as the REMOTE_SAS_SERV value in OCL_STATE. See the Oracle Clinical Administrator's Guide for information.

And, on the SAS server:

  1. Create an opapps account in the same way you did on database server with default shell C Shell. See Create the opapps Account and Add It to Groups.
  2. Log on as opapps.
  3. Set the environment variables in .cshrc so you can connect to the database using SQL*Plus.
  4. Set up the Oracle Wallet on the SAS server. See Create an Oracle Wallet and Generate a Certificate Request You may use the same Wallet password that you used during Oracle Clinical installation or a different one:
    mkstore -wrl wallet_location -create -nologo

    Example wallet location: /home/opapps/wallet

  5. Enter your password, then enter it again.
  6. Add OCPSUB credentials:
    mkstore -wrl wallet_location -createCredential db_connect_string OCPSUB
  7. Enter information as follows at the prompts:
    • Enter your secret password: Enter the OCPSUB password.
    • Re-enter your secret password: Re-enter the OCPSUB password.
    • Enter wallet password: Enter the Wallet password created above.
  8. Create sqlnet.ora in opapps home. Specify the Wallet path. For example:
    WALLET_LOCATION=(SOURCE =(METHOD = FILE)(METHOD_DATA =(DIRECTORY = /pharm/home/opapps/521000/wallet)))SQLNET.WALLET_OVERRIDE = TRUE

    where /pharm/home/opapps/521000/wallet is the wallet path

  9. In the opapps home, add the following in .cshrc: 
    setenv TNS_ADMIN $HOME
  10. Test the Wallet connection:
    1. Open another telnet/putty session of SAS server and log in as opapps.
    2. Try connecting. It should not require specifying a password.
      sqlplus /@db_connect_string
sql> show user

      You should see the OCPSUB user.

SAS Encryption

To set up a SAS connection using SAS encryption, follow instructions for SAS encryption in Install SAS on the Same UNIX Computer as Oracle Clinical.

Parent topic: Install SAS on a Different UNIX Computer from Oracle Clinical

Configure Private and Public Keys for Using SSH with SAS

If you are installing SAS on a different server on an intranet, do the following to establish an SSH connection from the PSUB server to the SAS server.

Oracle Clinical DB Server

Perform the following tasks on the Oracle Clinical UNIX database server computer:

  1. Log in to the Oracle Clinical UNIX database server computer as the opapps user.
  2. Use ssh-keygen to create a password-less set of identity keys:

    ssh-keygen -t rsa -N ''

    The system prompts for the file into which you want to save the set of identity keys.

  3. Press Return to accept the default location. This process creates two files in the user's home directory:
    • ~/.ssh/id_rsa This file contains the private key that represents your identity on that particular machine. Note that the private key is neither world nor group readable. You should never transfer the private key from the machine or change its modes.
    • ~/.ssh/id_rsa.pub This file contains the public key, which is world readable. The ssh program and other programs can use the public key to encrypt messages that only you can decrypt using the private key. The -N ' ' argument to the ssh-keygen command specifies that no passwords are associated with the public keys.
  4. Transport the file id_rsa.pub to a location on the SAS Server (for example, /tmp) using a secure method as defined by the policies of your organization.

SAS Server

Perform the following tasks on the SAS Server computer:

  1. Log in to the SAS Server computer as opapps.
  2. In the home directory Create the .ssh directory if it does not exist, and set the permission to 700:
    mkdir .ssh 
chmod 700 .ssh 
cd ~/.ssh
  3. Append the contents of the id_rsa.pub file in the /tmp directory to the authorized_keys file in the GUEST1_HOME/.ssh directory. For example:

    cat /tmp/id_rsa.pub >> authorized_keys

  4. Change the permission of the authorized_keys file to 600:

    chmod 600 authorized_keys

Verify SSH

To test the ssh setup from the Oracle Clinical Database server:

  1. Log in as opapps.
  2. Enter:
    ssh sas_servername

    It should log you in to the Sas server without the password.

Parent topic: Install SAS on a Different UNIX Computer from Oracle Clinical