What's New in Encryption in SAS 9.4

Overview

Encryption in SAS is affected by the following changes and enhancements in SAS:
  • SAS/SECURE is included with Base SAS, instead of being licensed and ordered separately.
  • The new encoding type SAS004 (uses AES encryption with 64-bit salt) provides increased security for stored passwords.
  • Increased security is provided for SAS data on disk.
  • Enhanced logging features are introduced for encryption. These enhancements include new loggers and better debugging and traceback features that are now part of the SAS Logging Facility.
  • Digital certificates can be imported to a central location on a Windows client or server.
  • In the first maintenance release for SAS 9.4, the default location for the Certificate Authority (CA) trust list has changed for the UNIX and z/OS foundation servers. This default location is specified by the SSLCALISTLOC= option.
  • New environment variables SSL_CERT_DIR and SSLCACERTDIR can also be used to point to the location of certificates. These environment variables are supported on UNIX and support logging. The default location is specified by the SSLCALISTLOC= system option.
    Note: These environment variables are available through hot fixes in some maintenance releases.
  • Starting in the first maintenance release for SAS 9.4, Subject Alternative Names (SAN) in TLS certificates are supported. Server Name Indications (SNI) in the TLS handshake between clients and servers are also supported. These are supported on UNIX and z/OS clients and servers.
  • In the third maintenance release of SAS 9.4, CA certificates are now located in the trustedcerts.pem file for UNIX and z/OS. The SSLCALISTLOC= option on UNIX and z/OS now points to the trustedcerts.pem file by default.
  • The SAS_SSL_MIN_PROTOCOL environment variable supported on UNIX, Windows, and z/OS, and the SAS_SSL_CIPHER_LIST environment variable supported on UNIX and z/OS have been added.
    Note: These environment variables are available through hot fixes for some maintenance releases.
  • In the third maintenance release of SAS 9.4, the SAS Deployment Manager is used to automate the process of updating the CA certificates on all hosts at SAS installation. The SAS Deployment Manager is used to manage the trusted Mozilla CA bundle (provided by SAS) for all hosts. After SAS installation, you can use the SAS Deployment Manager to add your own trusted certificates to this list.
  • In the third maintenance release of SAS 9.4, information about setting up a FIPS-2 environment has been updated in the SAS Deployment Wizard.
  • In the fourth maintenance release of SAS 9.4, the OpenSSL libraries provided by SAS have been updated. For SAS 9.4 and all maintenance releases of SAS 9.4, updated versions of OpenSSL are provided and updated through hot fixes for UNIX and z/OS.

General Enhancements

  • For software delivery purposes, SAS/SECURE is a product within the SAS System. In SAS 9.4, SAS/SECURE is included with the Base SAS software. In prior releases, SAS/SECURE was an add-on product that was licensed separately. This change makes strong encryption available in all deployments (except where prohibited by import restrictions).
  • If you use SAS/SECURE, you can use a new encoding type for stored passwords, SAS004 (uses AES encryption with 64-bit salt). The salt size was increased to 64 bits to comply with the minimum recommended salt size for PKCS #5 v2.0: Password-Based Cryptography Standard, http://www.rsa.com/rsalabs/node.asp?id=2127. See Technologies for Encryption and PWENCODE Procedure.
  • If you use SAS/SECURE, you can use an industry standard algorithm (AES) to encrypt SAS data on disk. For more information, see ENCRYPT= Data Set Option in SAS Data Set Options: Reference and SAS Data File Encryption in SAS Language Reference: Concepts.
  • The SAS Logging Facility now supports full logging and debugging of the SAS/CONNECT spawner operations. See LOGCONFIGLOC= System Option in SAS Logging: Configuration and Programming Reference for detailed information.
  • The SAS Logging Facility now supports full logging and debugging of encryption activity. See LOGCONFIGLOC= System Option in SAS Logging: Configuration and Programming Reference for system option information. For information about security loggers, see Encryption: SAS Logging Facility.
  • In the first maintenance release and the second maintenance release for SAS 9.4, for TLS encryption, SAS sets the default location of the Certificate Authority (CA) trust list to SAS-configuration-directory/levn/certs/cacert.pem for UNIX and z/OS foundation servers. This default location is specified by the SSLCALISTLOC= option in configuration files. For more information, see SSLCALISTLOC= System Option.
  • In the third maintenance release of SAS 9.4, trusted certificates are located in the trustedcerts.pem file. The SSLCALISTLOC= system option points to the trustedcerts.pem file by default. This file is located in <SASHome>/SASSecurityCertificateFramework/1.1/cacerts/. The SSLCALISTLOC= system option and new location are automatically added at SAS installation.
  • Environment variables SSL_CERT_DIR and SSLCACERTDIR can also be used to point to the location of certificates. These environment variables are supported on UNIX and z/OS and support logging.
    Note: These environment variables are available through hot fixes in some maintenance releases.
  • Starting in the first maintenance release for SAS 9.4, UNIX and z/OS clients and servers now support Server Name Indication (SNI) and Subject Alternative Names (SAN) in TLS. The client uses SNI in the TLS handshake to tell the server which server name it is trying to connect to. SANs are used in TLS certificates. For information, see SSL_USE_SNI Environment Variable.
  • In the third maintenance release of SAS 9.4, two new environment variables are available: SAS_SSL_MIN_PROTOCOL, supported on UNIX, Windows, and z/OS, and SAS_SSL_CIPHER_LIST, supported on UNIX and z/OS. For more information, see SAS_SSL_MIN_PROTOCOL Environment Variable and SAS_SSL_CIPHER_LIST Environment Variable.
  • On a Windows server or client, the user can import digital certificates to a Machine Store as well as to a Personal Store. See TLS on Windows: Setting Up Digital Certificates .
  • In the third maintenance release of SAS 9.4, the SAS Deployment Manager can be used to automate the process of updating the list of trusted CA Certificates. At installation, a list of trusted CA certificates that are distributed by Mozilla is installed and SAS products are automatically configured to use this. The SAS Deployment Manager is used to manage the trusted CA bundle (provided by SAS) for all hosts. The trustedcerts.pem and trustedcerts.jks files are both updated. On Windows, the SAS Deployment Manager tasks manage the Java version of the trusted CA bundle, on UNIX, the SAS Deployment Manager task updates the trustedcerts.pem and the trustedcerts.jks files, and on z/OS, the SAS Deployment Manager tasks update the trustedcerts.pem file.
    See Add Your Certificates to the Windows CA Stores , Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager and, . For the specific details about these SAS Deployment Manager tasks, see the SAS® Deployment Wizard and SAS® Deployment Manager 9.4: User's Guide.
  • In the third maintenance release of SAS 9.4, information has been added about setting the FIPS security settings on a Windows server. See TLS on Windows: FIPS 140-2 Capable OpenSSL .
  • In the third maintenance release of SAS 9.4, information about setting up a FIPS-2 environment on UNIX has been updated in the SAS Deployment Wizard. For specific information, see SAS® Deployment Wizard and SAS® Deployment Manager 9.4: User's Guide. For information about FIPS in this document, see FIPS 140-2 Standards Compliance, TLS: FIPS 140-2 Compliant Installation and Configuration, and TLS on UNIX: Building FIPS 140-2 Capable OpenSSL .
  • In the fourth maintenance release of SAS 9.4, the OpenSSL libraries provided by SAS have been updated. For SAS 9.4 and all maintenance releases of SAS 9.4, updated versions of OpenSSL for UNIX and z/OS are provided and updated through hot fixes. See the SAS Security Bulletin on OpenSSL for the most current information about the versions of OpenSSL used in SAS products and about the advisories under consideration.
    For a quick reference of the OpenSSL version supported for each version of SAS Foundation, see Mapping Between SAS Version and OpenSSL Version.
    Note: Windows versions of SAS support the TLS versions that Windows supports.

Documentation Enhancements

In the fourth maintenance release of SAS 9.4, we have moved information about certificate management into this document and into the SAS 9.4 Intelligence Platform: Security Administration Guide. The following topic information previously existed in the SAS 9.4 Intelligence Platform Installation and Configuration Guide.