What's New in Encryption in SAS 9.4
Overview
Encryption in SAS is
affected by the following changes and enhancements in SAS:
-
SAS/SECURE is included with Base
SAS, instead of being licensed and ordered separately.
-
The new encoding type SAS004 (uses AES
encryption with 64-bit salt) provides increased security for stored passwords.
-
Increased security is provided
for SAS data on disk.
-
Enhanced logging features are introduced for encryption. These enhancements include
new loggers and better debugging and traceback features
that are now part of the SAS Logging Facility.
-
Digital certificates can be imported
to a central location on a Windows client or server.
-
In the
first
maintenance release for SAS 9.4, the default location for the Certificate Authority (CA)
trust list has changed for the UNIX and
z/OS foundation servers. This default location is specified
by the SSLCALISTLOC= option.
-
New environment variables SSL_CERT_DIR
and SSLCACERTDIR can also be used to point to the location of certificates.
These environment variables are supported on UNIX and support logging.
The default location is specified by the SSLCALISTLOC= system option.
Note: These environment variables
are available through hot fixes in some maintenance releases.
-
Starting in the
first
maintenance release for SAS 9.4, Subject Alternative Names (SAN) in
TLS certificates are supported. Server Name Indications (SNI) in the TLS handshake between
clients and servers are also supported. These are supported on UNIX and
z/OS clients and servers.
-
In the third
maintenance release of SAS 9.4, CA certificates
are now located in the trustedcerts.pem file for UNIX and z/OS. The
SSLCALISTLOC= option on UNIX and z/OS now points to the trustedcerts.pem
file by default.
-
The SAS_SSL_MIN_PROTOCOL environment
variable supported on UNIX, Windows, and z/OS, and the SAS_SSL_CIPHER_LIST
environment variable supported on UNIX and z/OS have been added.
Note: These environment variables
are available through hot fixes for some maintenance releases.
-
In the third
maintenance release of SAS 9.4, the SAS Deployment
Manager is used to automate the process of updating the CA certificates
on all hosts at SAS installation. The SAS Deployment Manager is used
to manage the trusted Mozilla CA bundle (provided by SAS) for all
hosts. After SAS installation, you can use the SAS Deployment Manager
to add your own trusted certificates to this list.
-
In the third
maintenance release of SAS 9.4, information about
setting up a FIPS-2 environment has been updated in the SAS Deployment
Wizard.
-
In the fourth
maintenance release of SAS 9.4, the OpenSSL libraries
provided by SAS have been updated. For SAS 9.4 and all maintenance
releases of SAS 9.4, updated versions of OpenSSL are provided and
updated through hot fixes for UNIX and z/OS.
General Enhancements
-
For software delivery purposes,
SAS/SECURE is a product within the SAS System. In SAS 9.4, SAS/SECURE
is included with the Base SAS software. In prior releases, SAS/SECURE was an add-on product that was licensed separately. This change makes strong encryption
available in all deployments (except where prohibited by import restrictions).
-
If you use
SAS/SECURE, you can use a new encoding type for stored passwords, SAS004 (uses AES encryption
with 64-bit salt). The salt size was increased to 64 bits to comply with the minimum
recommended salt size for PKCS #5 v2.0: Password-Based Cryptography Standard,
http://www.rsa.com/rsalabs/node.asp?id=2127.
See Technologies for Encryption and PWENCODE Procedure.
-
If you use
SAS/SECURE, you can
use an industry standard algorithm (AES) to encrypt SAS data on disk.
For more information,
see ENCRYPT= Data Set Option in SAS Data Set Options: Reference and SAS Data File Encryption in SAS Language Reference: Concepts.
-
The SAS Logging Facility now supports
full logging and debugging of the
SAS/CONNECT spawner operations.
See LOGCONFIGLOC= System Option in SAS Logging: Configuration and Programming Reference for detailed
information.
-
-
In the
first
maintenance release and the
second
maintenance release for SAS 9.4, for TLS encryption, SAS sets the default location of the Certificate
Authority (CA) trust list to
SAS-configuration-directory/levn/certs/cacert.pem
for
UNIX and
z/OS foundation servers. This default location is specified
by the SSLCALISTLOC= option in configuration files.
For more information,
see SSLCALISTLOC= System Option.
-
In the third
maintenance release of SAS 9.4, trusted certificates
are located in the trustedcerts.pem file. The SSLCALISTLOC= system
option points to the trustedcerts.pem file by default. This file is
located in <SASHome>/SASSecurityCertificateFramework/1.1/cacerts/
.
The SSLCALISTLOC= system option and new location are automatically
added at SAS installation.
-
Environment variables SSL_CERT_DIR
and SSLCACERTDIR can also be used to point to the location of certificates.
These environment variables are supported on UNIX and z/OS and support
logging.
Note: These environment variables
are available through hot fixes in some maintenance releases.
-
Starting in the
first
maintenance release for SAS 9.4, UNIX and
z/OS clients and servers now support Server Name Indication (SNI) and Subject Alternative
Names (SAN) in TLS. The client uses SNI in the TLS handshake to tell the server which
server name it
is trying to connect to. SANs are used in TLS certificates.
For information, see SSL_USE_SNI Environment Variable.
-
-
-
In the
third
maintenance release of SAS 9.4, the SAS Deployment
Manager can be used to automate the process of updating the list of
trusted CA Certificates. At installation, a list of trusted CA certificates
that are distributed by
Mozilla is installed and SAS products
are automatically configured to use this. The SAS Deployment Manager
is used to manage the trusted CA bundle (provided by SAS) for all
hosts. The trustedcerts.pem and trustedcerts.jks files are both updated.
On Windows, the SAS Deployment Manager tasks manage the Java version
of the trusted CA bundle, on UNIX, the SAS Deployment Manager task
updates the trustedcerts.pem and the trustedcerts.jks files, and on
z/OS, the SAS Deployment Manager tasks update the trustedcerts.pem
file.
-
-
-
In the
fourth
maintenance release of SAS 9.4, the OpenSSL libraries
provided by SAS have been updated. For SAS 9.4 and all maintenance
releases of SAS 9.4, updated versions of OpenSSL for UNIX and
z/OS
are provided and updated through hot fixes. See the
SAS Security Bulletin on OpenSSL for
the most current information about the versions of OpenSSL used in
SAS products and about the advisories under consideration.
Note: Windows versions of SAS support
the TLS versions that Windows supports.
Documentation Enhancements
In the
fourth
maintenance release of SAS 9.4, we have moved information
about certificate management into this document and into the
SAS
9.4 Intelligence Platform: Security Administration Guide.
The following topic information previously existed in the
SAS
9.4 Intelligence Platform Installation and Configuration Guide.
Copyright © SAS Institute Inc. All Rights Reserved.