SSLCACERTDIR Environment Variable

Specifies the location of the trusted certificate authorities (CA) found in OpenSSL format.

Client: Optional
Server: Optional
Valid in: Configuration file, SAS invocation, SAS/CONNECT spawner start-up
Categories: Communications: Networking and Encryption
System Administration: Security
Default: The default location for certificates is set using the SSLCALISTLOC= system option. Certificates are located in one .pem file. By contrast, The SSLCACERTDIR environment variable allows the customer to specify a location where multiple certificate files reside. See SSLCALISTLOC= System Option.
Operating environment: UNIX
Note: This environment variable is available in all SAS 9.3 and SAS 9.4 versions of software if hot fixes are applied.
Tips: OpenSSL looks up the CA certificate based on the x509 hash value of the certificate. SSLCACERTDIR requires that the certificates are located in the specified directory where the certificate names are the value of a hash that OpenSSL generates.
If you are upgrading from a version of OpenSSL that is older than 1.0.0, you need to update your certificate directory links. Starting with code base 1.0.0, SHA hashing is used instead of MD5. You can use the OpenSSL C_REHASH utility to re-create symbolic links to files named by the hash values.
You can discover the hash value for a CA and then create a link to the file named after the certificate’s hash value. Note that you must add ".0" to the hash value.
ln -s cacert1.pem 'openssl x509 -noout -hash -in 
/u/myuser/sslcerts/cacert1.pem'.0
If you list the CA file, you see the link between the file named after the certificate’s hash value and the CA file.
lrwxrwxrwx 1 myuser rnd 10 Apr 7 14:42 6730c6a9.0 -> cacert1.pem
To verify the path of the server certificate file (cacert1.pem for our example), use the following OpenSSL command:
openssl verify -CApath /u/myuser/sslcerts cacert1.pem
See: Defining Environment Variables in UNIX Environments in SAS Companion for UNIX Environments
Examples: The SSLCACERTDIR environment variable points to the directory where the CA certificate is located. Export the environment variable on UNIX hosts for the Bourne Shell:
export SSLCACERTDIR=/u/myuser/sslcerts/
Set the environment variable on UNIX hosts for the C Shell directory where the CA certificates are located:
SETENV SSLCACERTDIR /u/myuser/sslcerts/
Set the environment variable at SAS invocation for UNIX hosts:
-set "SSLCACERTDIR=/u/myuser/sslcerts/"

Syntax

SSLCACERTDIR=“file-path

Syntax Description

file-path

specifies the location where the public certificates for all of the trusted certificate authorities (CA) in the trust chain are filed. There is one file for each CA. The names of the files are the value of a hash that OpenSSL generates.

Note: OpenSSL generates different hash values for each OpenSSL version. For example, OpenSSL 0.9.8 generates different hash values than does OpenSSL 1.x.

Details

Environment variables SSLCACERTDIR and SSL_CERT_DIR point to a directory that contains all of the public certificate files of all CAs in the trust chain. One file exists for each CA in the trust chain.
SSLCACERTDIR requires the certificates to be in the directory where their names are the value of a hash that OpenSSL generates.
Each CA certificate file must be PEM-encoded (base64). For more information, see Certificate File Formats.
For Foundation Servers such as workspace servers and stored process servers (that is, servers in a deployment), if certificates are used, SAS searches for certificates in a specific order. SAS searches for certificates in the following order:
  1. SAS looks for SAS system option SSLCALISTLOC= to find the file trustedcerts.pem.
  2. SAS looks for the SSLCALISTLOC environment variable to find the file trustedcerts.pem.
  3. If trustedcerts.pem exists and SSL_CERT_DIR and SSLCACERTDIR environment variables are set, SAS checks trustedcerts.pem first before it searches the directory.
  4. If trustedcerts.pem does not exist, but the certificates are in the directory defined by SSL_CERT_DIR or SSLCACERTDIR, then SAS ignores SSLCALISTLOC=.
  5. If trustedcerts.pem does not exist, and the SSL_CERT_DIR and SSLCACERTDIR environment variables are not set, SAS reports an error.
In SAS 9.4, the first maintenance release of SAS 9.4, and the second maintenance release of SAS 9.4, the default path set for the SSLCALISTLOC= system option on UNIX and z/OS foundation servers is SAS-configuration-directory/Levn/certs/cacert.pem. The cacert.pem file contains the list of trusted certificates.
In the third maintenance release of SAS 9.4, the default path set for the SSLCALISTLOC= system option on UNIX and z/OS foundation servers is <SASHome>/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.pem. The trustedcerts.pem file contains the list of trusted certificates.
Note: A trusted CA certificate is required at the client in order to validate a server's digital certificate. The trusted CA certificate must be from the CA that signed the server certificate.