Specifies the location of the trusted certificate authorities (CA) found in OpenSSL format. This is the OpenSSL environment variable.
Client: | Optional |
Server: | Optional |
Valid in: | Configuration file, SAS invocation, SAS/CONNECT spawner start-up |
Categories: | Communications: Networking and Encryption |
System Administration: Security | |
Default: | The default location for certificates is set using the SSLCALISTLOC= system option. Certificates are located in one .pem file. By contrast, The SSLCACERTDIR environment variable allows the customer to specify a location where multiple certificate files reside. See SSLCALISTLOC= System Option. |
Operating environment: | UNIX |
Note: | This environment variable is available in all SAS 9.3 and SAS 9.4 versions of software if hot fixes are applied. |
Tips: | OpenSSL looks up the CA certificate based on the x509 hash value of the certificate. SSL_CERT_DIR requires that the certificates are located in the specified directory where the certificate names are the value of a hash that OpenSSL generates. |
If you are upgrading from a version of OpenSSL that is older than 1.0.0, you need to update your certificate directory links. Starting with code base 1.0.0, SHA hashing is used instead of MD5. You can use the OpenSSL C_REHASH utility to re-create symbolic links to files named by the hash values. | |
You can discover the hash value for the CA and then create
a link to the file named after the certificate’s hash value.
Note that you must add ".0" to the hash value.ln -s cacert1.pem 'openssl x509 -noout -hash -in /u/myuser/sslcerts/cacert1.pem'.0If you list the CA file, you see the link between the file named after the certificate’s hash value and the CA file. lrwxrwxrwx 1 myuser rnd 10 Apr 7 14:42 6730c6a9.0 -> cacert1.pem |
|
To verify the path of the server certificate file (cacert1.pem
for our example), use the following OpenSSL command:openssl verify -CApath /u/myuser/sslcerts cacert1.pem |
|
See: | Defining Environment Variables in UNIX Environments in SAS Companion for UNIX Environments |
Examples: | The SSL_CERT_DIR environment variable points to the
directory where the CA certificate is located. Export the environment
variable on UNIX hosts for the Bourne Shell:export SSL_CERT_DIR=/u/myuser/sslcerts/ |
Set the environment variable on UNIX hosts for the
C Shell directory where the CA certificates are located: SETENV SSL_CERT_DIR /u/myuser/sslcerts/ |
|
Set the environment variable at SAS invocation for
UNIX hosts:-set "SSL_CERT_DIR=/u/myuser/sslcerts/" |
specifies the location where the public certificates for all of the trusted certificate authorities (CA) in the trust chain are filed. There is one file for each CA. The names of the files are the value of a hash that OpenSSL generates.
SAS-configuration-directory/Levn/certs/cacert.pem
.
The cacert.pem file contains the list of trusted certificates.
<SASHome>/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.pem
.
The trustedcerts.pem file contains the list of trusted certificates.