ENCRYPTFIPS System Option

Specifies that the SAS/SECURE and TLS security services use FIPS 140-2 validated algorithms.

Client: Optional
Server: Optional
Valid in: SAS invocation, configuration file, SAS/CONNECT spawner command line
Categories: Communications: Networking and Encryption
System Administration: Security
PROC OPTIONS GROUP= Communications
SECURITY
Default: NOENCRYPTFIPS
Restriction: The ENCRYPTFIPS option is not supported on z/OS for TLS.
Operating environment: UNIX, Windows, z/OS
See: NETENCRYPTALGORITHM

Syntax

ENCRYPTFIPS

Syntax Description

ENCRYPTFIPS

specifies that SAS/SECURE and TLS services are using FIPS 140-2 compliant encryption algorithms.

Note: Turning on the ENCRYPTFIPS option is not generally recommended for TLS, unless absolutely required by your sites policy.
When this option is specified, an INFO message is written at server start-up to indicate that FIPS encryption is enabled.
Note: SAS Internal Passwords are stored using the SHA-256 hashing algorithm when this option is specified.
The ENCRYPTFIPS option is provided by SAS primarily as a mechanism to help ensure that your SAS system is configured to leverage the encryption algorithms and cipher suites specified by the FIPS 140-2 standard and that libraries are validated for compliance when loaded. With this option enabled, SAS verifies that all of your SAS servers have been configured to use the FIPS approved Advanced Encryption Standard (AES) libraries or the SSL protocol. ENCRYPTFIPS makes sure IOM uses AES and that SAS/CONNECT uses AES or SSL.
However, turning off the SAS system option ENCRYPTFIPS does not impact the ability of SAS to use FIPS approved encryption algorithms available with SAS/SECURE, such as the Advanced Encryption Standard (AES), nor does it prevent SAS from leveraging strong FIPS approved cipher suites when acting as an SSL client.
CAUTION:
Use ENCRYPTFIPS with caution.
Turning on the ENCRYPTFIPS option is not generally recommended for TLS, unless absolutely required by your sites policy. If the ENCRYPTFIPS option is turned on, the SAS server based TLS clients will attempt to load a special subset of OpenSSL libraries, contained as part of the OpenSSL FIPS Object Module. Because these libraries are not present by default, you must follow the process described in TLS on UNIX: Building FIPS 140-2 Capable OpenSSL .
Restriction When the ENCRYPTFIPS option is specified, the NETENCRYPTALGORITHM system option must be set to AES or SSL. If a different algorithm is specified, an error message is output.
Notes When configuring the ENCRYPTFIPS option on a Microsoft Windows 2003 server, refer to SAS/SECURE FIPS 140-2 Compliant Installation and Configuration for instructions on resolving the environment variable issue.
The ENCRYPTFIPS option is configured only at start-up. However, you can see that the option is configured when you view the OPTIONS statement or the SAS System Options window.

NOENCRYPTFIPS

specifies that the SAS/SECURE and TLS security services are not limited to FIPS 140-2 verified algorithms.

Details

The ENCRYPTFIPS option limits the services provided by SAS/SECURE and TLS to those services that are part of the FIPS 140-2 specification.
Note: Turning on the ENCRYPTFIPS option is not generally recommended for TLS, unless absolutely required by your sites policy.
Read more about Security Requirements for Cryptographic Modules at FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. Refer to FIPS 140-2 Standards Compliance for an overview of FIPS 140-2 standards.
There is an interaction between the ENCRYPTFIPS option and the NETENCRYPTALGORITHM option. Only the AES algorithm or the SSL algorithm is supported for FIPS 140-2 encryption. An error is logged when an unsupported algorithm is specified.
ERROR: When SAS option ENCRYPTFIPS is ON the option value for SAS option 
ERROR: NETENCRYPTALGORITHM must be a single value of AES or SSL. 
ERROR: Invalid option value. 
NOTE: Unable to initialize the options subsystem.
When the ENCRYPTFIPS option is specified, a message is logged informing the user that FIPS 140-2 encryption is enabled. This log can be viewed in the log for SAS window at the DEBUG and or TRACE levels. Refer to The SAS Log in SAS Language Reference: Concepts and Administering Logging for SAS/CONNECT in SAS/CONNECT User’s Guide.

Examples

Example 1

Here is an example of configuring the ENCRYPTFIPS option on UNIX:
-encryptfips -netencryptalgorithm aes;

Example 2

Here is an example of configuring the ENCRYPTFIPS option on z/OS:
encryptfips netecryptalgorithm="aes"

Example 3

Here is an example of configuring the ENCRYPTFIPS option on Windows:
-encryptfips -netencralg "AES"