SSL for a SAS/CONNECT Windows Spawner: Example

Start-up of a Windows Spawner on a Single-User SAS/CONNECT Server

After digital certificates for the CA, the server, and the client have been generated and imported into the appropriate Certificate Store, you can start a spawner program that runs on a server that SAS/CONNECT clients connect to.
Here is an example of how to start a Windows spawner on a SAS/CONNECT server:
spawner -install -netencryptalgorithm ssl -sslcertsubj "apex.pc.com" 
-sascmd mysas.bat -servuser userid -servpass password
The following table shows the SAS commands that are used to start a spawner on a SAS/CONNECT single-user server.
SAS Commands and Arguments for Spawner Start-Up Tasks
SAS Command and Arguments
Function
SPAWNER
Starts the spawner
-INSTALL
Causes an instance of a spawner to be installed as a Windows service. For information about the -INSTALL option, see Options for the Windows Spawner in Communications Access Methods for SAS/CONNECT and SAS/SHARE.
-NETENCRYPTALGORITHM SSL
Specifies the SSL encryption algorithm
-SSLCERTSUBJ "apex.pc.com"
Specifies the subject name that is used to search for a certificate from the Microsoft Certificate Store
-SASCMD mysas.bat
Specifies the name of an executable file that starts a SAS session when you sign on without a script file.
-SERVUSER user-ID
Specifies the user-ID to be used to start the spawner and to obtain a digital certificate. The -SERVUSER and the -SERVPASS options are used together and must be specified when the spawner is installed as a service (the -INSTALL option is specified). For information about the -SERVUSER option, see Options for the Windows Spawner in Communications Access Methods for SAS/CONNECT and SAS/SHARE.
-SERVPASS password
Specifies the password to be used to start the spawner and to obtain a digital certificate. The -SERVUSER and the -SERVPASS options are used together and must be specified when the spawner is installed as a service (the -INSTALL option is specified). For information about the -SERVPASS option, see Options for the Windows Spawner in Communications Access Methods for SAS/CONNECT and SAS/SHARE.
In order for the Windows spawner to locate the appropriate server digital certificate in the Microsoft Certificate Store, you must specify the -SSLCERTSUBJ system option in the script that is specified by the -SASCMD option. -SSLCERTSUBJ specifies the subject name of the digital certificate that SSL should use. The subject that is assigned to the -SSLCERTSUBJ option and the computer that is specified in the client signon must be identical.
Note: You can also use the SSLCERTISS= and the SSLCERTSERIAL= options instead of the SSLCERTSUBJ= option to identify a digital certificate.
If the Windows spawner is started as a service, the -SERVPASS and -SERVUSER options must also be specified in the Windows spawner start-up command in order for SSL to locate the appropriate CA digital certificate.
For complete information about starting a Windows spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a Windows Spawner on a SAS/CONNECT Server

After a spawner has been started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.
Here is an example of how to make a client connection to a Windows spawner that is running on a SAS/CONNECT server:
options comamid=tcp netencryptalgorithm=ssl;
%let machine=apex.pc.com;
signon machine user=_prompt_;
The computer that is specified in the client signon and the subject (the -SSLCERTSUBJ option) that is specified at the server must be identical.
The following table shows the SAS options that are used to connect to a Windows spawner that runs on a SAS/CONNECT server.
SAS Options, Statements, and Arguments for Client Access to a SAS/CONNECT Server
SAS Options, Statements, and Arguments
Function
COMAMID=TCP
Specifies the TCP/IP access method
NETENCRYPTALGORITHM=SSL
Specifies the encryption algorithm
SIGNON=server-ID
Specifies which server to connect to
USER=_PROMPT_
Prompts for the user ID and password to be used for authenticating the client to the server
The server-ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.