TLS on UNIX: Building FIPS 140-2 Capable OpenSSL

SAS ships OpenSSL libraries on UNIX. However, these are not FIPS 140-2 compliant libraries. You must compile a FIPS 140-2 compliant version of OpenSSL and install it. If you plan to build FIPS 140-2 capable OpenSSL for UNIX, access the OpenSSL utility at OpenSSL Source. Then follow the instructions in OpenSSL FIPS 140-2 Security Policy Version 2.0 to build an OpenSSL FIPS Object Module v2.0.
Note: Different operating systems require the use of different library file extensions. For example, HPUX, Linux, and Solaris use libcrypto.so.1.0.0 and libssl.so.1.0.0. AIX uses libcrypto.so and libssl.so. Refer to your operating system vendor documentation when using the vendor’s OpenSSL libraries. There might be additional procedures that need to be followed to make the libraries work properly in your environment.
If you are using your own FIPS 140-2 compliant OpenSSL libraries, your system administrator needs to set the environment path variables to pick up this software. Go to the <SASHome>/SASFoundation/9.4/bin directory. This directory contains the sasenv script that sets the environment variables that are required by SAS. When you customize environment variable values, modify the sasenv_local file. Set the location of the FIPS 140-2 compliant libraries in the sasenv_local file. Depending on your operating system, set the LD_LIBRARY_PATH and the SHLIB_PATH to be the same, and set LIBPATH on AIX.
For example, you might add the following code to the sasenv_local file.
export LD_LIBRARY_PATH=<FIPS library path>:$LD_LIBRARY_PATH
For more information, see Contents of the !SASROOT Directory in SAS Companion for UNIX Environments.
Note: Prepend the customized library path in the script that is run before invoking SAS.
Use the SAS Deployment Wizard to configure FIPS after building your libraries. See SAS® Deployment Wizard and SAS® Deployment Manager 9.4: User's Guide. Note that SAS system option NETENCRALG= must be set SSL to configure a FIPS 140-2 compliant system.
CAUTION:
Use caution when using ENCRYPTFIPS
Turning on the ENCRYPTFIPS option is not generally recommended, unless absolutely required by your site’s policy. If the ENCRYPTFIPS option is turned on, the SAS server-based TLS clients will attempt to load a special subset of OpenSSL libraries, contained as part of the OpenSSL FIPS Object Module. Because these libraries are not present by default, you must follow the preceding process to download and compile in accordance with the specific instructions specified by the FIPS standard. See ENCRYPTFIPS System Option and FIPS 140-2 Standards Compliance.