SAS/SECURE makes industry-standard
encryption algorithms available for use in the SAS Intelligence Platform
as follows:
-
SAS/SECURE enables you to provide
stronger protection for data in transit than is provided by SASProprietary
encoding. This affects communications among SAS servers and between
SAS servers and SAS desktop clients. Here are the supported algorithms
by host:
-
On UNIX and
z/OS,
SAS/SECURE supports
AES (Advanced Encryption Standard), AES predecessors (DES and TDES),
and the RC4 and RC2 algorithms.
-
On Windows,
SAS/SECURE supports
algorithms that are included in the Microsoft Cryptographic API.
-
SAS/SECURE enables you to provide
stronger protection for stored login passwords than is provided by
SASProprietary encoding. This affects both passwords that are stored
in the metadata and passwords that are included in configuration files.
The only supported industry-standard algorithm for stored passwords
is AES (SAS003).
-
SAS/SECURE enables you to provide
stronger protection for stored internal account passwords (SHA-256
hashing instead of MD5).
-
If you have
SAS/SECURE, you can
force it to use only services that are part of the Federal Information
Processing Standard (FIPS) 140-2 specification. This feature can be
enabled during installation, and is configured through a new SAS system
option (ENCRYPTFIPS).
See SAS/SECURE FIPS 140-2 Compliant Installation and Configuration in Encryption in SAS.
Note: When ENCRYPTFIPS is on,
SAS/SECURE
uses only FIPS-validated encryption algorithms. For example, in the
current release, when ENCRYPTFIPS is on, the value for NETENCRYPTALGORITHM
must be AES.
CAUTION:
Passwords
that are stored in SAS003 format (or with SHA-256 hashing) become
unusable and inaccessible if SAS/SECURE is unavailable.
If you use
SAS/SECURE,
it is important to keep your
SAS/SECURE license current. If you choose
to discontinue use of
SAS/SECURE, you must revert all stored passwords
to the less secure format before you uninstall the software. To revert
login passwords, set STOREPASSWORDS="SAS002", restart the metadata
server, and use SAS Management Console to re-enter passwords in any
logins that need to include passwords. To revert internal account
passwords, set
HashPasswords="MD5"
, restart
the metadata server, and update the password in every internal account.
Note: In the SAS Intelligence Platform,
SAS/SECURE provides only encryption features. Other security features
(such as metadata authorization, single sign-on, and use of SSL by
SAS applications that run in a third-party Web application server)
are not related to
SAS/SECURE.