TLS for a SAS/CONNECT UNIX Spawner: Example

Start-up of a UNIX Spawner on a SAS/CONNECT Server

After digital certificates are generated for the CA, the server, and the client, and a CA trust list for the client is created, you can start a UNIX spawner program that runs on a server that SAS/CONNECT clients connect to. The spawner acts both as a TLS server to CONNECT clients and a TLS client to the spawned CONNECT server.
The following example code starts the spawner using TLS encryption and specifies a private password that must be provided either through prompting or within a file:
% cntspawn -service unxspawn -netencryptalgorithm ssl 
-sslcertloc /users/server/certificates/server.pem 
-sslpvtkeyloc /users/server/certificates/serverkey.pem 
-sslpvtkeypass starbuck1
-sslcalistloc /users/server/certificates/sas.pem
-sascmd /users/server/command.ksh
Note: Starting in the third maintenance release of SAS, this option might not be needed if you are managing certificates using the SDM.
The following table explains the SAS commands that are used to start a spawner on a SAS/CONNECT single-user server.
SAS Commands and Arguments for Spawner Start-Up Tasks
SAS Commands and Arguments
Function
CNTSPAWN
Starts the spawner
-SERVICE unxspawn
Specifies the spawner service (configured in the services file)
-NETENCRYPTALGORITM SSL
Specifies the SSL encryption algorithm
-SSLCERTLOC /users/server/certificates/server.pem
Specifies the file path for the location of the server's public certificate
-SSLPVTKEYLOC /users/server/certificates/serverkey.pem
Specifies the file path for the location of the server's private key
-SSLPVTKEYPASS password
Specifies the password to access the server's private key if the private key is encrypted with a password
-SSLCALISTLOC /users/server/certificates/sas.pem
Specifies the CA trust list
Note: Starting in the third maintenance release of SAS, this option might not be needed if you are managing certificates using the SDM.
-SASCMD /users/server/command.ksh
Specifies the name of an executable file that starts a SAS session when you sign on without a script file
In order for the UNIX CONNECT server to locate the appropriate server digital certificate, you must specify either the -SSLCERTLOC, -SSLPVTKEYLOC, and -SSLPVTKEYPASS options or the -SSLPKCS12LOC and -SSLPKCS12PASS options in the script that is specified by the -SASCMD option.
Here is an example of an executable file:
#!/bin/ksh
#----------------------------------
# mystartup
#----------------------------------

. ~/.profile
sas -noterminal -sslcertloc /users/server/certificates/server.pem 
-sslpvtkeyloc /users/server/certificates/serverkey.pem $*
#------------------------------
For complete information about starting a UNIX spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a UNIX Spawner

After a UNIX spawner is started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.
The following example shows how to connect a client to a spawner that is running on a SAS/CONNECT server:
options netencryptalgorithm=ssl;
options sslcalistloc="/users/johndoe/certificates/sas.pem";
%let machine=unxspawn;
signon machine.spawner user=_prompt_;
The following table explains the SAS options that are used to connect to a SAS/CONNECT server.
SAS Options, Statements, and Arguments for Client Access to a SAS/CONNECT Server
SAS Options, Statements, and Arguments
Client Access Tasks
NETENCRYPTALGORITHM=SSL
Specifies the encryption algorithm
SSLCALISTLOC=sas.pem
Specifies the CA trust list
SIGNON=unxspawn
Specifies the server and service to connect to
USER=_PROMPT_
Prompts for the user ID and password to be used for authenticating the client to the server
The server-ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.
For complete information about connecting to a UNIX spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.