ENCRYPTFIPS System Option

Specifies that the SAS/SECURE and SSL security services use FIPS 140-2 validated algorithms.
Client: optional
Server: optional
Valid in: SAS invocation, configuration file, SAS/CONNECT spawner command line
Categories: Communications: Networking

System Administration: Security
PROC OPTIONS GROUP= Communications

SECURITY
Default: NOENCRYPTFIPS
Restriction: The ENCRYPTFIPS option is not supported on z/OS for SSL
Operating environment: UNIX, Windows, z/OS
See: NETENCRYPTALGORITHM
Syntax
Details
Examples
See Also

Syntax

ENCRYPTFIPS

Syntax Description

ENCRYPTFIPS
specifies that SAS/SECURE and SSL services are using FIPS 140-2 compliant encryption algorithms. When this option is specified, a new INFO message is written at server start-up to indicate that FIPS encryption is enabled.
Restriction:When the ENCRYPTFIPS option is specified, the NETENCRYPTALGORITHM system option must be set to AES or SSL. If a different algorithm is specified, an error message is output.
Notes:When configuring the ENCRYPTFIPS option on a Microsoft Windows 2003 server, refer to SAS/SECURE FIPS 140-2 Compliant Installation and Configuration for instructions on resolving the environment variable issue.

The ENCRYPTFIPS option is configured only at start-up. However, you can see that the option is configured when you view the OPTIONS statement or the SAS System Options window.

NOENCRYPTFIPS
specifies that the SAS/SECURE and SSL security services are not limited to FIPS 140-2 verified algorithms.

Details

The ENCRYPTFIPS option limits the services provided by SAS/SECURE and SSL to those services that are part of the FIPS 140-2 specification. Read more about Security Requirements for Cryptographic Modules at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. Also refer to Refer to FIPS 140-2 Standards Compliance for an overview of FIPS 140-2 standards.
There is an interaction between the ENCRYPTFIPS option and the NETENCRYPTALGORITHM option. Only the AES or the SSL algorithm is supported for FIPS 140-2 encryption. An error is logged when an unsupported algorithm is specified.
ERROR: When SAS option ENCRYPTFIPS is ON the option value for SAS option 
ERROR: NETENCRYPTALGORITHM must be a single value of AES or SSL. 
ERROR: Invalid option value. 
NOTE: Unable to initialize the options subsystem.
When the ENCRYPTFIPS option is specified, a message is logged informing the user that FIPS 140-2 encryption is enabled. This log can be viewed in the log for SAS window at the DEBUG and or TRACE levels. Refer to “Administering Logging for SAS Connect” in SAS/CONNECT User's Guide and “The SAS Log” in SAS Language Reference: Concepts.
This is an example of a TRACE log that is generated when ENCRYPTFIPS is enabled. 
2010-12-15T08:37:12,725 TRACE [00000008] :App.tk.eam sasiom1 - Attempting FIPS mode init
This is an example of a DEBUG log generated when ENCRYPTFIPS is enabled. 
2010-12-15T08:37:12,731 DEBUG [00000008] :App.tk.eam sasiom1 - FIPS 140-2 mode is enabled

Examples

Example 1

Here is an example of configuring the ENCRYPTFIPS option on UNIX: 
-encryptfips -netencryptalgorithm aes;

Example 2

Here is an example of configuring the ENCRYPTFIPS option on z/OS:
encryptfips netecryptalgorithm="aes"

Example 3

Here is an example of configuring the ENCRYPTFIPS option on Windows:
-encryptfips
-netencralg "AES"

See Also

NETENCRYPTALGORITHM System Option
FIPS 140-2 Standards Compliance
Copyright © SAS Institute Inc. All rights reserved.