SSLCALISTLOC= System Option

Specifies the location of the public certificate(s) for trusted certificate authorities (CA).

Client: Required
Server: Optional
Valid in: Configuration file, OPTIONS statement, SAS System Options window, SAS invocation, SAS/CONNECT spawner command line
Category: Communications: Networking and Encryption
PROC OPTIONS GROUP= Communications
Operating environment: UNIX, z/OS
Notes: In the third maintenance release of SAS 9.4, the default path set for the SSLCALISTLOC= system option on UNIX and z/OS foundation servers is <SASHome>/SASSecurityCertificateFramework/1.1/cacerts/ trustedcerts.pem. The trustedcerts.pem file contains the list of trusted CA Certificates, the Mozilla Bundle provided by SAS at installation.
In SAS 9.4, the first maintenance release of SAS 9.4, and the second maintenance release of SAS 9.4, the default path set for the SSLCALISTLOC= system option on UNIX and z/OS foundation servers is SAS-configuration-directory/Levn/certs/cacert.pem. The cacert.pem file contains the list of trusted CA Certificates.
Tip: When additional encryption options are specified on the spawner command line, the options must be included in the -SASCMD value. The spawner does not automatically pass the encryption values. For detailed information, see SASCMD for your operating environment in SAS/CONNECT User’s Guide.
See: Certificate Locations.
TLS for a SAS/CONNECT UNIX Spawner: Example

TLS on a z/OS Spawner on a SAS/CONNECT Server: Example

Syntax

SSLCALISTLOC=“file–path

Syntax Description

file-path

specifies the location of a single file that contains the public certificate(s) for all of the trusted certificate authorities (CA) in the trust chain.

Details

The SSLCALISTLOC= option specifies the location of a single file that contains the public certificate(s) for all of the trusted certificate authorities (CA) in the trust chain. The CA file must be PEM-encoded (base64). For z/OS, the file must be formatted as ASCII and must reside in a UNIX file system. For more information, see Certificate File Formats.
From SAS 9.4 to the second maintenance release of SAS 9.4, the default setting for the SSLCALISTLOC= system option on UNIX and z/OS foundation servers is SAS-configuration-directory/Levn/certs/cacert.pem. The cacert.pem file contains the list of trusted CA Certificates.
In the third maintenance release of SAS 9.4, the default path set for the SSLCALISTLOC= system option on UNIX foundation servers is <SASRoot>/SASHome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.pem. By default, the trustedcerts.pem file contains a managed set of trusted root certificates provided by Mozilla. If additional CA certificates are required, they can be added using the SAS Deployment Manager (SAS Deployment Manager).
CAUTION:
Do not change the SSLCALISTLOC= system option .
Starting in the third maintenance release of SAS 9.4, the SSLCALISTLOC= system option should not be overridden or changed unless directed by technical support or PSD. In addition, the trustedcerts.pem file should not be altered by any means other than by using the new SAS Deployment Manager tasks for adding and removing certificates to Trusted CA Bundle. If the file is changed outside of using these tasks, the provided Trusted CA Bundle might not be supported and maintenance of those changes is not guaranteed. See Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager.
For the specifics and an example of how to create a trust list on z/OS, refer to Step 5. Create a CA Trust List Using OpenSSL. For information about creating a trust list on UNIX, refer to Step 5. Create a Certificate Chain in PEM Format Using OpenSSL and Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager.
Note: Environment variables SSLCACERTDIR and SSL_CERT_DIR point to a directory that contains all of the public certificate file(s) of all CA(s) in the trust chain. One file exists for each CA in the trust chain. These can be used instead of using the SSLCALISTLOC= system option.Refer to SSLCACERTDIR Environment Variable and SSL_CERT_DIR Environment Variable.
For Foundation Servers such as workspace servers and stored process servers (that is, servers in a deployment), if certificates are used, SAS searches for certificates in a specific order. SAS searches for certificates in the following order:
  1. SAS looks for SAS system option SSLCALISTLOC= to find the file trustedcerts.pem.
  2. SAS looks for the SSLCALISTLOC environment variable to find the file trustedcerts.pem.
  3. If trustedcerts.pem exists and SSL_CERT_DIR and SSLCACERTDIR environment variables are set, SAS checks trustedcerts.pem first before it searches these directories.
  4. If trustedcerts.pem does not exist, but the certificates are in the directory defined by SSL_CERT_DIR or SSLCACERTDIR, then SAS ignores SSLCALISTLOC=.
  5. If trustedcerts.pem does not exist, and the SSL_CERT_DIR and SSLCACERTDIR environment variables are not set, SAS reports an error.
Note: A trusted CA certificate is required at the client in order to validate a server's digital certificate. The trusted CA certificate must be from the CA that signed the server certificate. The SSLCALISTLOC= option is required at the server only if the SSLCLIENTAUTH option is also specified at the server.