TLS on a z/OS Spawner on a SAS/CONNECT Server: Example

Start-up of a z/OS Spawner on a SAS/CONNECT Server

After digital certificates are generated for the CA, the server, and the client, and a CA trust list for the client is created, you can start a z/OS spawner program that runs on a server that SAS/CONNECT clients connect to.
Note: Starting in the third maintenance release of SAS 9.4, you can use the SDM to manage your certificates. The SSLCALSTLOC defaults to <SASRoot>/SASHome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.pem and is set at SAS installation in the z/OS common options template. Therefore, you no longer need to specify the -SSLCALISTLIC option.
For example:
//SPAWNER  EXEC PGM=CNTSPAWN,
//         PARM='-service 4321 =<//DDN:SYSIN'
//STEPLIB  DD   DISP=SHR,DSN=<customer.high.level.pfx>.LIBRARY
//STEPLIB  DD   DISP=SHR,DSN=<customer.high.level.pfx>.LIBE
//SYSPRINT DD   SYSOUT=*
//SYSTERM  DD   SYSOUT=*
//TKMVSJNL DD   SYSOUT=*
//SYSOUT   DD   SYSOUT=*
//SYSIN    DD   *
-netencryptalgorithm ssl 
-sslpkcs12loc /users/server/certificates/server.p12 
-sslpkcs12pass starbuck1
-sslcalistloc /users/server/certificates/sas.pem
-sascmd /users/server/command.sh
The following table explains the SAS commands that are used to start a spawner on a SAS/CONNECT server.
SAS Commands and Arguments for Spawner Start-Up Tasks
SAS Commands and Arguments
Function
CNTSPAWN
Starts the spawner
-SERVICE 4321
Specifies the spawner service that is listening on port 4321
- NETENCRYPTALGORITHM SSL
Specifies the SSL encryption algorithm
-SSLPKCS12LOC /users/server/certificates/serverkey.p12
Specifies the file path for the location of the server's PKCS #12 DER encoding package
-SSLPKCS12PASS password
Specifies the password to access the server's private key in the PKCS #12 package
-SSLCALISTLOC /users/server/certificates/sas.pem
Specifies the CA trust list.
Note: Starting in the third maintenance release of SAS 9.4, if you are using the SDM to manage your certificates, you no longer need to specify this command.
-SASCMD /users/server/command.sh
Specifies the name of an executable file that starts a SAS session when you sign on without a script file
In order for the z/OS spawner to locate the appropriate server digital certificate, you must specify either the -SSLCERTLOC, -SSLPVTKEYLOC, and -SSLPVTKEYPASS options or the -SSLPKCS12LOC and -SSLPKCS12PASS options in the script that is specified by the -SASCMD option.
Here is an example of an executable file, command.sh:
#!/bin/sh
args=$*
if [ -n "$NETENCRALG" ] ; then
   args="$args -netencralg $NETENCRALG"
fi
if [ -n "$SASDAEMONPORT" ] ; then
   args="$args -sasdaemonport $SASDAEMONPORT"
fi
if [ -n "$SASCLIENTPORT" ] ; then
   args="$args -sasclientport $SASCLIENTPORT"
fi
export TSOOUT=
export SYSPROC=SAS.CLIST
/bin/tso -t %sas -dmr -noterminal 
-sslpkcs12loc /users/server/certificates/serverkey.p12
-sslpkcs12pass password $args
For complete information about starting a z/OS spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a z/OS Spawner

After a z/OS spawner is started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.
The following example shows how to connect a client to a spawner that is running on a SAS/CONNECT server:
options command-tcp netencryptalgorithm=ssl;
options sslcalistloc="/users/johndoe/certificates/sas.pem";
%let machine=apex.server.com;
signon machine.4321 user=_prompt_;
The following table explains the SAS options that are used to connect to a SAS/CONNECT server.
SAS Options and Arguments for Client Access to a SAS/CONNECT Server
SAS Options and Arguments
Client Access Tasks
COMAMID=TCP
Specifies the TCP/IP access method
NETENCRYPTALGORITHM=SSL
Specifies the encryption algorithm
SSLCALISTLOC=sas.pem
Specifies the CA trust list
SIGNON=server-ID.service
Specifies the server and service to connect to
USER=_PROMPT_
Prompts for the user ID and password to be used for authenticating the client to the server
The server ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.
For complete information about connecting to a z/OS spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.