NETENCRYPTALGORITHM System Option

Specifies the algorithm or algorithms to be used for encrypted client/server data transfers.

Client:	Optional
Server:	Required
Valid in:	Configuration file, OPTIONS statement, SAS System Options window, SAS invocation, SAS/CONNECT spawner command line
Category:	Communications: Networking and Encryption
PROC OPTIONS GROUP=	Communications
Alias:	NETENCRALG
Operating environment:	UNIX, Windows, z/OS
See:	NETENCRYPT System Option, ENCRYPTFIPS System Option
Examples:	TLS for a SAS/CONNECT Windows Spawner: Example TLS on a z/OS Spawner on a SAS/CONNECT Server: Example TLS for a SAS/CONNECT UNIX Spawner: Example

Syntax

Syntax Description

Details

Example

Syntax

NETENCRYPTALGORITHM algorithm | (“algorithm-1”... “algorithm-n”)

Syntax Description

algorithm | (“algorithm-1”... “algorithm-n”)

specifies the algorithm or algorithms that can be used for encrypting data that is transferred between a client and a server across a network. When you specify two or more encryption algorithms, use a space or a comma to separate them, and enclose the algorithms in parentheses.

The following algorithms can be used:

RC2
RC4
DES
TripleDES
SAS Proprietary
SSL
AES

Restrictions	If you do not have SAS/SECURE, an error is generated if algorithm AES is specified.
	The SSL option is not applicable to the Integrated Object Model (IOM) servers.
	When ENCRYPTFIPS is specified, only the SSL algorithm or the AES algorithm can be specified. Otherwise, an error message is output.

Details

The NETENCRYPTALGORITHM option must be specified in the server session.

Use this option to specify one or more encryption algorithms that you want to use to protect the data that is transferred across the network. If more than one algorithm is specified, the client session negotiates the first specified algorithm with the server session. If the client session does not support that algorithm, the second algorithm is negotiated, and so on.

If either the client session or the server session specifies the NETENCRYPT option (which makes encryption mandatory) but a common encryption algorithm cannot be negotiated, the client cannot connect to the server.

If the NETENCRYPTALGORITHM option is specified in the server session only, then the server's values are used to negotiate the algorithm selection. If the client session supports only one of multiple algorithms that are specified in the server session, the client can connect to the server.

There is an interaction between either NETENCRYPT or NONETENCRYPT and the NETENCRYPTALGORITHM option.

Client/Server Connection Outcomes
Server Settings	Client Settings	Connection Outcome
NONETENCRYPT NETENCRALG=alg	No settings	If the client is capable of encryption, the client/server connection is encrypted. Otherwise, the connection is not encrypted.
NETENCRYPT NETENCRALG=alg	No settings	If the client is capable of encryption, the client/server connection is encrypted. Otherwise, the client/server connection fails.
No settings	NONETENCRYPT NETENCRALG=alg	A client/server connection is not encrypted.
No settings	NETENCRYPT NETENCRALG=alg	A client/server connection fails.
NETENCRYPT or NONETENCRYPT NETENCRALG=alg-1	NETENCRALG=alg-2	Regardless of whether NETENCRYPT or NONETENCRYPT is specified, a client/server connection fails.

Example

In the following example, the client and the server specify different values for the NETENCRYPTALGORITHM option.

The client specifies two algorithms in the following OPTIONS statement:

options netencryptalgorithm=(rc2 tripledes);

The server specifies three algorithms and requires encryption in the following OPTIONS statement:

options netencrypt netencryptalgorithm=(ssl des tripledes);

The client and the server negotiate an algorithm that they share in common, TripleDES, for encrypting data transfers.