Encryption Technologies: Examples

OS Spawner: Example

Startup of a z/OS Spawner on a SAS/CONNECT Server

After digital certificates are generated for the CA, the server, and the client, and a CA trust list for the client is created, you can start a z/OS spawner program that runs on a server that SAS/CONNECT clients connect to.

For example:

//SPAWNER  EXEC PGM=SASTCPD,
//         PARM='-service 4321 =<//DDN:SYSIN'
//STEPLIB  DD   DISP=SHR,DSN=<customer.high.level.pfx>.LIBRARY
//STEPLIB  DD   DISP=SHR,DSN=<customer.high.level.pfx>.LIBE
//SYSPRINT DD   SYSOUT=*
//SYSTERM  DD   SYSOUT=*
//TKMVSJNL DD   SYSOUT=*
//SYSOUT   DD   SYSOUT=*
//SYSIN    DD   *
-netencryptalgorithm ssl 
-sslpkcs12loc /users/server/certificates/server.p12 
-sslpkcs12pass starbuck1
-sslcalistloc /users/server/certificates/sas.pem
-sascmd /users/server/command.sh

The following table explains the SAS commands that are used to start a spawner on a SAS/CONNECT server.

SAS Commands and Arguments for Spawner Start-Up Tasks
SAS Commands and Arguments	Function
sastcpd	Starts the spawner
-service 4321	Specifies the spawner service that is listening on part 4321
-netencryptalgorithm ssl	Specifies the SSL encryption algorithm
-sslpkcs12loc /users/server/certificates/serverkey.p12	Specifies the file path for the location of the server's PKCS #12 DER encoding package
-sslpkcs12pass password	Specifies the password to access the server's private key in the PKCS #12 package
-sslcalistloc /users/server/certificates/sas.pem	Specifies the CA trust list
-sascmd /users/server/command.sh	Specifies the name of an executable file that starts a SAS session when you sign on without a script file

Here is an example of an executable file, command.sh:

#!/bin/sh
args=$*
if [ -n "$INHERIT" ] ; then
   args="$args -inherit $INHERIT"
fi
if [ -n "$NETENCRALG" ] ; then
   args="$args -netencralg $NETENCRALG"
fi
if [ -n "$SASDAEMONPORT" ] ; then
   args="$args -sasdaemonport $SASDAEMONPORT"
fi
if [ -n "$SASCLIENTPORT" ] ; then
   args="$args -sasclientport $SASCLIENTPORT"
fi
export TSOOUT=
export SYSPROC=SAS.CLIST
/bin/tso -t %sas -dmr -noterminal $args

For complete information about starting a z/OS spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a z/OS Spawner

After a z/OS spawner is started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.

The following example shows how to connect a client to a spawner that is running on a SAS/CONNECT server:

options netencryptalgorithm=ssl;
options sslcalistloc="/users/johndoe/certificates/cacerts.pem";
%let machine=apex.server.com;
signon machine.spawner user=_prompt_;

The following table explains the SAS options that are used to connect to a SAS/CONNECT server.

SAS Options and Arguments for Client Access to a SAS/CONNECT Server
SAS Options and Arguments	Client Access Tasks
NETENCRYPTALGORITHM=ssl	Specifies the encryption algorithm
SSLCALISTLOC=cacerts.pem	Specifies the CA trust list
SIGNON=server-ID.service	Specifies the server and service to connect to
USER=_PROMPT_	Prompts for the user ID and password to be used for authenticating the client to the server

The server ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.

For complete information about connecting to a z/OS spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Top of Page