NETENCRYPTALGORITHM System Option

Specifies the algorithm or algorithms to be used for encrypted client/server data transfers.
Client: optional
Server: required
Valid in: Configuration file, OPTIONS statement, SAS System Options window, SAS invocation, SAS/CONNECT spawner command line
Category: Communications: Networking and Encryption
PROC OPTIONS GROUP= Communications
Alias: NETENCRALG
Operating environment: UNIX, Windows, z/OS
See: NETENCRYPT System Option, ENCRYPTFIPS System Option
SSL for a SAS/CONNECT Windows Spawner: Example

SSL on a z/OS Spawner on a SAS/CONNECT Server: Example

SSL for a SAS/CONNECT UNIX Spawner: Example

Syntax

NETENCRYPTALGORITHM algorithm | (“algorithm-1”... “algorithm-n”)

Syntax Description

algorithm | (“algorithm–1”... “algorithm-n”)
specifies the algorithm or algorithms that can be used for encrypting data that is transferred between a client and a server across a network. When you specify two or more encryption algorithms, use a space or a comma to separate them, and enclose the algorithms in parentheses.
The following algorithms can be used:
  • RC2
  • RC4
  • DES
  • TripleDES
  • SASProprietary
  • SSL
  • AES
Restrictions:The SSL option is not applicable to the Integrated Object Model (IOM) metadata, OLAP, and table servers.

When ENCRYPTFIPS is specified, only the SSL or the AES algorithm can be specified. Otherwise, an error message is output.

Details

The NETENCRYPTALGORITHM option must be specified in the server session.
Use this option to specify one or more encryption algorithms that you want to use to protect the data that is transferred across the network. If more than one algorithm is specified, the client session negotiates the first specified algorithm with the server session. If the client session does not support that algorithm, the second algorithm is negotiated, and so on.
If either the client or the server session specifies the NETENCRYPT option (which makes encryption mandatory) but a common encryption algorithm cannot be negotiated, the client cannot connect to the server.
If the NETENCRYPTALGORITHM option is specified in the server session only, then the server's values are used to negotiate the algorithm selection. If the client session supports only one of multiple algorithms that are specified in the server session, the client can connect to the server.
There is an interaction between either NETENCRYPT or NONETENCRYPT and the NETENCRYPTALGORITHM option.
Client/Server Connection Outcomes
Server Settings
Client Settings
Connection Outcome
NONETENCRYPT
NETENCRALGalg
No settings
If the client is capable of encryption, the client/server connection will be encrypted. Otherwise, the connection will not be encrypted.
NETENCRYPT
NETENCRALGalg
No settings
If the client is capable of encryption, the client/server connection will be encrypted. Otherwise, the client/server connection will fail.
No settings
NONETENCRYPT
NETENCRALGalg
A client/server connection will not be encrypted.
No settings
NETENCRYPT
NETENCRALGalg
A client/server connection will fail.
NETENCRYPT or NONETENCRYPT
NETENCRALGalg–1
NETENCRALGalg-2
Regardless of whether NETENCRYPT or NONETENCRYPT is specified, a client/server connection will fail.

Example

In the following example, the client and the server specify different values for the NETENCRYPTALGORITHM option.
The client specifies two algorithms in the following OPTIONS statement:
options netencryptalgorithm=(rc2 tripledes);
The server specifies three algorithms and requires encryption in the following OPTIONS statement:
options netencrypt netencryptalgorithm=(ssl des tripledes);
The client and the server negotiate an algorithm that they share in common, TripleDES, for encrypting data transfers.