Certificates must be validated between the clients and servers. The following SAS
system options, environment variables, or Windows selections are set to provide information
about the signer’s
public key.
-
For SAS servers on UNIX or z/OS:
Certificates can be
in one of two locations:
-
All certificates must be in one file in
PEM format that is referenced by the SSLCALISTLOC= option. The option points to the signer's
public key (a file in PEM format). When a server or client receive a certificate,
they have
to validate the certificate using the signer's public key.
Normally, a website
is required to send all intermediate certificates when they send the
server certificate. If they do, the SSLCALISTLOC= just needs to contain
the root CA certificate. If it does not, then all intermediate CA
certificates need to be put into the file.
-
For UNIX, all certificates must
be in an OpenSSL CA certificates directory pointed to by the SSL_CERT_DIR
or SSLCACERTDIR environment variables.
SSL_CERT_DIR is the OpenSSL environment variable and SSLCACERTDIR is the SAS environment
variable. The layout of this directory is specified by OpenSSL, where the certificates
are in PEM format and referenced by their hash values.
-
For the SAS servers on Windows:
The certificate must
be in the Windows System truststore.
Note: Many certificates are already
pre-populated on Windows machines.