Previous Page | Next Page

Encryption Tasks

How to Change Over-the-Wire Encryption Settings for SAS Servers

Automatic Configuration

Instructions for Post-Installation Changes

Details About NETENCRALG and CEL


Automatic Configuration

When you install the metadata server, you select an encryption level (which traffic content is encrypted) and an encryption algorithm (how that traffic is encrypted). The settings that you select for the metadata server are applied to all SAS servers. SAS clients usually don't specify encryption settings; they simply conform to the requirements of the servers.

CAUTION:
In the SAS Deployment Wizard, all algorithms are listed regardless of whether you have SAS/SECURE. Do not select a value other than SASProprietary unless you have licensed SAS/SECURE on all SAS server machines.   [cautionend]

Instructions for Post-Installation Changes

If you need to change over-the-wire encryption settings after installation is complete, use the following instructions.

  1. Update server configuration files as follows:

    1. In the operating system that hosts the metadata server, navigate to your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/.

      • To change the algorithm, add the NETENCRALG setting that you need to the sasv9_usermods.cfg file.

      • To change the encryption level, copy the entire OBJECTSERVERPARMS line from the sasv9.cfg file into the sasv9_usermods.cfg file. Then edit the CEL value in the usermods version of the file.

      For example, to encrypt all traffic with AES, add these lines:

      -netencralg "AES"
      -objectserverparms "cel=everything  {other-parameters}"

      On z/OS, exclude the initial hyphens and add equal signs as follows:

      netencralg="AES"
      objectserverparms="cel=everything  {other-parameters}"

      Note:   Do not specify a NETENCRALG value other than SASProprietary unless you have licensed SAS/SECURE on all SAS server machines.  [cautionend]

    2. (Optional) If your deployment offers direct connections from clients to the OLAP server, make the same updates to that server's configuration file.

      Note:   The OLAP server's configuration files are in your equivalent of SAS/Config/Lev1/SASApp/OLAPServer/.  [cautionend]

  2. Update server metadata definitions as follows:

    1. In SAS Management Console, under Server Manager, select the metadata server's definition [icon].

      Note:   To get to the server definition, you must expand the application server node [icon]and the logical server node [icon].  [cautionend]

    2. Right-click the first connection object [icon], and select Properties.

    3. In the Connection dialog box, select the Options tab and click Advanced Options. Adjust the settings as necessary.

    4. In the Advanced Options dialog box, select the Encryption tab.

      Note:   All algorithms are listed regardless of whether you have SAS/SECURE. Do not select a value other than SASProprietary unless you have licensed SAS/SECURE on all SAS server machines.  [cautionend]

    Repeat the preceding steps for each server that is launched by the object spawner (the stored process server, the workspace server, and the pooled workspace server).

  3. Stop, restart, and validate the servers.


Details About NETENCRALG and CEL

On direct connections, encryption is governed by the server's invocation command. Here are details and some examples:

Note:   On z/OS, the following syntax examples are slightly different. See step 1a in the preceding topic.  [cautionend]

NETENCRALG (network encryption algorithm)

is a SAS system option. The NETENCRALG setting that is defined for the metadata server during installation is in the metadata server's sasv9.cfg file.

  • If you accept the default encryption settings during installation, the configuration file includes this line:

    -netencralg "SASProprietary"
  • If you have licensed SAS/SECURE and selected the AES algorithm during installation, the setting in the metadata server's sasv9.cfg file is as follows:

    -netencralg "AES"
  • If a different NETENCRALG setting has been added to the metadata server's sasv9_usermods.cfg file, that setting has priority.

  • Other supported values for NETENCRALG are DES, TripleDES, RC4, and RC2. However, if you haven't licensed SAS/SECURE, only SASProprietary is supported.

CEL (client encryption level)

is a parameter in the OBJECTSERVERPARMS SAS system option. The CEL setting that is defined for the metadata server during installation is in the metadata server's sasv9.cfg file.

  • If you accept the default encryption settings during installation, the configuration file includes this line:

    -objectserverparms "cel=credentials  {other-parameters}"
  • If, during installation, you selected the option to encrypt all traffic, the setting in the metadata server's sasv9.cfg file is as follows:

    -objectserverparms "cel=everything {other-parameters}"
  • If a different CEL setting has been added to the metadata server's sasv9_usermods.cfg file, that setting has priority.

It isn't necessary to specify encryption settings in the invocation command for every component for the following reasons:

See Also

Encryption Strength and Coverage

Previous Page | Next Page | Top of Page