About SAS/SECURE

What Does SAS/SECURE Provide?

SAS/SECURE makes industry-standard encryption algorithms available for use in the SAS Intelligence Platform as follows:
  • SAS/SECURE enables you to provide stronger protection for data in transit than is provided by SASProprietary encoding. This affects communications among SAS servers and between SAS servers and SAS desktop clients. Here are the supported algorithms by host:
    • On UNIX and z/OS, SAS/SECURE supports AES (Advanced Encryption Standard), AES predecessors (DES and TDES), and the RC4 and RC2 algorithms.
    • On Windows, SAS/SECURE supports algorithms that are included in the Microsoft Cryptographic API.
  • SAS/SECURE enables you to provide stronger protection for stored login passwords than is provided by SASProprietary encoding. This affects both passwords that are stored in the metadata and passwords that are included in configuration files. The only supported industry-standard algorithm for stored passwords is AES (SAS003).
  • SAS/SECURE enables you to provide stronger protection for stored internal account passwords (SHA-256 hashing instead of MD5).
  • If you have SAS/SECURE, you can force it to use only services that are part of the Federal Information Processing Standard (FIPS) 140-2 specification. This feature can be enabled during installation, and is configured through a new SAS system option (ENCRYPTFIPS). See SAS/SECURE FIPS 140-2 Compliant Installation and Configuration in Encryption in SAS.
    Note: When ENCRYPTFIPS is on, SAS/SECURE uses only FIPS-validated encryption algorithms. For example, in the current release, when ENCRYPTFIPS is on, the value for NETENCRYPTALGORITHM must be AES.
CAUTION:
Passwords that are stored in SAS003 format (or with SHA-256 hashing) become unusable and inaccessible if SAS/SECURE is unavailable.
If you use SAS/SECURE, it is important to keep your SAS/SECURE license current. If you choose to discontinue use of SAS/SECURE, you must revert all stored passwords to the less secure format before you uninstall the software. To revert login passwords, set STOREPASSWORDS="SAS002", restart the metadata server, and use SAS Management Console to re-enter passwords in any logins that need to include passwords. To revert internal account passwords, set HashPasswords="MD5", restart the metadata server, and update the password in every internal account.
Note: In the SAS Intelligence Platform, SAS/SECURE provides only encryption features. Other security features (such as metadata authorization, single sign-on, and use of SSL by SAS applications that run in a third-party Web application server) are not related to SAS/SECURE.

How Are SAS/SECURE Features Surfaced?

SAS/SECURE isn't an interactive software product (like SAS Management Console) or a product that has its own SAS language elements (like SAS/ACCESS). In the SAS Intelligence Platform, SAS/SECURE features are surfaced as follows:
  • In server invocation commands, the NETENCRALG option supports values other than SASProprietary only if you have SAS/SECURE.
  • In SAS Management Console, server encryption algorithm values other than SASProprietary are supported only if you have SAS/SECURE.
    Note: All algorithms are listed regardless of whether you have SAS/SECURE. Do not select a value other than SASProprietary unless you have licensed SAS/SECURE. Use the same algorithm and level on all servers.
  • In the PWENCODE procedure, the METHOD option supports the SAS003 value (AES) only if you have SAS/SECURE.
  • In the RETURNPASSWORDS and STOREPASSWORDS options in the metadata server's omaconfig.xml file, the SAS003 value (AES) is supported only if you have SAS/SECURE.
  • In the HASHPASSWORDS option in the metadata server's omaconfig.xml file, the SHA256 value is supported only if you have SAS/SECURE.

Licensing and Availability of SAS/SECURE

Licensing and availability for SAS/SECURE is as follows:
  • Although SAS/SECURE is automatically included in all deployment plan files that include Base SAS, SAS/SECURE is not licensed as part of Base SAS. SAS/SECURE requires a separate license on each SAS server machine. Client-side licenses are not needed.
  • Availability of SAS/SECURE is subject to import and export restrictions. Some countries have import restrictions on products that contain encryption. The U.S. has export restrictions on products that contain encryption.
  • SAS/SECURE is not supported on VMS.