SAS ships OpenSSL libraries
on UNIX. However, these are not FIPS 140-2 compliant libraries. You
must compile a FIPS 140-2 compliant version of OpenSSL and install
it. If you plan to build FIPS 140-2 capable OpenSSL for UNIX, access
the OpenSSL utility at
OpenSSL Source. Then follow the instructions
in
OpenSSL FIPS 140-2 Security Policy Version 2.0 to build an OpenSSL FIPS Object Module v2.0.
Note: Different operating systems
require the use of different library file extensions. For example,
HPUX, Linux, and Solaris use libcrypto.so.1.0.0 and libssl.so.1.0.0.
AIX uses libcrypto.so and libssl.so. Refer to your operating system
vendor documentation when using the vendor’s OpenSSL libraries.
There might be additional procedures that need to be followed to make
the libraries work properly in your environment.
If you are using your
own FIPS 140-2 compliant OpenSSL libraries, your system administrator
needs to set the environment path variables to pick up this software.
Go to the <SASHome>/SASFoundation/9.4/bin
directory.
This directory contains the sasenv script that sets the environment
variables that are required by SAS. When you customize environment
variable values, modify the sasenv_local file. Set the location of
the FIPS 140-2 compliant libraries in the sasenv_local file. Depending
on your operating system, set the LD_LIBRARY_PATH and the SHLIB_PATH
to be the same, and set LIBPATH on AIX.
For example, you might
add the following code to the sasenv_local file.
export LD_LIBRARY_PATH=<FIPS library path>:$LD_LIBRARY_PATH
For more information, see Contents of the !SASROOT Directory in SAS Companion for UNIX Environments.
Note: Prepend the customized library
path in the script that is run before invoking SAS.
Use the SAS Deployment
Wizard to configure FIPS after building your libraries. See
SAS®
Deployment Wizard and SAS® Deployment Manager 9.4: User's Guide. Note that SAS system option NETENCRALG= must be set
SSL to configure a FIPS 140-2 compliant system.
CAUTION:
Use caution
when using ENCRYPTFIPS
Turning on the ENCRYPTFIPS option is not generally recommended, unless absolutely
required by your site’s policy. If the ENCRYPTFIPS option is turned on, the SAS server-based
TLS clients will attempt to load a special subset of OpenSSL libraries, contained as
part of the OpenSSL FIPS Object Module. Because these libraries are not present by
default, you must follow the preceding process to download and compile in accordance
with the specific instructions specified by the FIPS standard.
See ENCRYPTFIPS System Option and FIPS 140-2 Standards Compliance.