TLS for a SAS/CONNECT UNIX Spawner: Example

Start-up of a UNIX Spawner on a SAS/CONNECT Server

Connection of a SAS/CONNECT Client to a UNIX Spawner

Start-up of a UNIX Spawner on a SAS/CONNECT Server

After digital certificates are generated for the CA, the server, and the client, and a CA trust list for the client is created, you can start a UNIX spawner program that runs on a server that SAS/CONNECT clients connect to. The spawner acts both as a TLS server to CONNECT clients and a TLS client to the spawned CONNECT server.

The following example code starts the spawner using TLS encryption and specifies a private password that must be provided either through prompting or within a file:

% cntspawn -service unxspawn -netencryptalgorithm ssl 
-sslcertloc /users/server/certificates/server.pem 
-sslpvtkeyloc /users/server/certificates/serverkey.pem 
-sslpvtkeypass starbuck1
-sslcalistloc /users/server/certificates/sas.pem
-sascmd /users/server/command.ksh

Note: Starting in the third maintenance release of SAS, this option might not be needed if you are managing certificates using the SDM.

The following table explains the SAS commands that are used to start a spawner on a SAS/CONNECT single-user server.

SAS Commands and Arguments for Spawner Start-Up Tasks
SAS Commands and Arguments	Function
CNTSPAWN	Starts the spawner
-SERVICE unxspawn	Specifies the spawner service (configured in the services file)
-NETENCRYPTALGORITM SSL	Specifies the SSL encryption algorithm
-SSLCERTLOC /users/server/certificates/server.pem	Specifies the file path for the location of the server's public certificate
-SSLPVTKEYLOC /users/server/certificates/serverkey.pem	Specifies the file path for the location of the server's private key
-SSLPVTKEYPASS password	Specifies the password to access the server's private key if the private key is encrypted with a password
-SSLCALISTLOC /users/server/certificates/sas.pem	Specifies the CA trust list Note: Starting in the third maintenance release of SAS, this option might not be needed if you are managing certificates using the SDM.
-SASCMD /users/server/command.ksh	Specifies the name of an executable file that starts a SAS session when you sign on without a script file

In order for the UNIX CONNECT server to locate the appropriate server digital certificate, you must specify either the -SSLCERTLOC, -SSLPVTKEYLOC, and -SSLPVTKEYPASS options or the -SSLPKCS12LOC and -SSLPKCS12PASS options in the script that is specified by the -SASCMD option.

Here is an example of an executable file:

#!/bin/ksh
#----------------------------------
# mystartup
#----------------------------------

. ~/.profile
sas -noterminal -sslcertloc /users/server/certificates/server.pem 
-sslpvtkeyloc /users/server/certificates/serverkey.pem $*
#------------------------------

For complete information about starting a UNIX spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a UNIX Spawner

After a UNIX spawner is started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.

The following example shows how to connect a client to a spawner that is running on a SAS/CONNECT server:

options netencryptalgorithm=ssl;
options sslcalistloc="/users/johndoe/certificates/sas.pem";
%let machine=unxspawn;
signon machine.spawner user=_prompt_;

The following table explains the SAS options that are used to connect to a SAS/CONNECT server.

SAS Options, Statements, and Arguments for Client Access to a SAS/CONNECT Server
SAS Options, Statements, and Arguments	Client Access Tasks
NETENCRYPTALGORITHM=SSL	Specifies the encryption algorithm
SSLCALISTLOC=sas.pem	Specifies the CA trust list
SIGNON=unxspawn	Specifies the server and service to connect to
USER=_PROMPT_	Prompts for the user ID and password to be used for authenticating the client to the server

The server-ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.

For complete information about connecting to a UNIX spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.