How to Configure SSL between the Metadata Server and an LDAP Server

Note: This is not a universally necessary task. The following instructions support encryption of direct communication between the metadata server and an LDAP server using the Secure Sockets Layer (SSL) protocol. This functionality applies to only specialized configurations in which the metadata server directly uses an LDAP server as an authentication provider.
  1. On the LDAP server:
    1. Make sure that a port is configured for SSL.
    2. Examine the Client Certification setting and note its implications for your work in step 2e below.
      • If the setting specifies that a client certificate is optional, step 2e below is optional for you. This is the default setting on most LDAP servers.
      • If the setting specifies that a client certificate is required, step 2e below is mandatory for you.
      • If the setting specifies that a client certificate is not allowed, a client certificate will be ignored, so there is no reason for you to perform step 2e below.
  2. On the metadata server:
    1. If support is not already in place for direct LDAP, configure that support. See How to Configure Direct LDAP Authentication.
    2. Make sure that the value that is specified in the LDAP_PORT (or AD_PORT) environment variable matches an SSL-configured port on the LDAP server.
    3. In the same location where you set environment variables to configure the metadata server for direct LDAP, add the LDAP_TLSMODE (or AD_TLSMODE) environment variable, and set it to 1. Setting this variable causes the metadata server to attempt to use SSL.
    4. Provide a Certificate Authority (CA) certificate to use SSL.
      Host
      Details
      Windows
      The CA certificate is installed using Microsoft Certificate Services.
      UNIX
      The CA certificate file is provided in an accessible directory and referenced by the SSLCALISTLOC option.1
      z/OS
      The CA certificate file is provided in an accessible directory and referenced by the SSLCALISTLOC option.1
      1Add the option to the metadata server's invocation command (in the same location where you specified -authpd). For syntax, see "SAS System Options for Encryption" in Encryption in SAS.
    5. If the LDAP server requires client certification (see step 1b above), specify the location of client certificates.
      Host
      Details
      Windows
      The client certificate is installed using Microsoft Certificate Services. The SSLCERTSUBJ, SSLCERTSERIAL and SSLCERTISS options are used to locate the client certificate.1
      UNIX
      The client certificate files are provided in an accessible directory. The SSLCERTLOC, SSLPVTKEYLOC and SSLPVTKEYPASS options can be used to locate the client certificate. PKCS12 certificates can also be used with the SSLPKCS12LOC and SSLPKCS12PASS options.1
      z/OS
      The client certificate files are provided in an accessible directory. The SSLCERTLOC, SSLPVTKEYLOC and SSLPVTKEYPASS options can be used to locate the client certificate. PKCS12 certificates can also be used with the SSLPKCS12LOC and SSLPKCS12PASS options.1
      1Add the necessary options to the metadata server's invocation command (in the same location where you specified -authpd). For syntax, see "SAS System Options for Encryption" in Encryption in SAS.
  3. Restart the metadata server.
  4. To test the results, use the following code. Replace the sample values with your metadata server connection information, and submit the code in a SAS program editor. 
    proc metaoperate
     server="a123.us.company.com"
     port=8561
     userid="myLDAPuserID@myldap"
     password="myLDAPpassword"
     action=status;
run;

See Also

Encryption in SAS
Copyright © SAS Institute Inc. All rights reserved.