Problem Note 56154: File Transfer Protocol Secure (FTPS, FTPES, and FTP/TLS) support
 |  |  |  |  |
Explicit FTP (FTPS, FTPES, and FTP/TLS) is supported in SAS® 9.4M3 (TS1M3) as shipped.
Click the Hot Fix tab in this note to access the hot fix to add support of this feature to SAS® 9.4M2 (TS1M2).
- Adding Options to the FILENAME FTP Statement
- Using the SAS_FTP_AUTHTLS Environment Variable
- Choosing the SAS_FTP_AUTHTLS Environment Variable Value
- Setting the SAS_FTP_AUTHTLS Environment Variable
- Additional Information
With this hot fix, you can use explicit FTP/TLS either by adding options to the FILENAME FTP statement or by using the SAS_FTP_AUTHTLS environment variable.
Adding Options to the FILENAME FTP Statement
Any current FILENAME FTP statement can use FTP/TLS with the following requirements:
- The FTP server is required to support the following options:
- AUTHTLS: This option issues the FTP AUTH TLS command to the FTP server requesting Transport Layer Security (TLS) authentication, which secures the FTP Control Channel.
- PROT P: This option issues the FTP Data Channel protection level command. The default value is P, which refers to Private and provides both Integrity checking and Confidentiality Protection.
- PBSZ=: This option specifies the FTP data channel Protection Buffer Size, which has a default value of 0. This option allows a value range from 0 - 32,767.
- The name of the FTP server being accessed in the FILENAME FTP statement must match the Subject Common Name on the SSL certificate.
- In UNIX and z/OS operating environments, the TLS/SSL certificate must be stored in a file in ASCII format. Use the SSLCALISTLOC= system option to refer to the location of the certificate. In a Microsoft Windows operating environment, the certificate must be imported to the certificate store for the computer.
Note: When you specify the DEBUG parameter in the FILENAME FTP statement, the following note from the FTP server indicates that AUTH TLS is being used for FTP/TLS support:
NOTE: <<< 234 Security environment established - ready for negotiation
Using the SAS_FTP_AUTHTLS Environment Variable
With this hot fix, the SAS_FTP_AUTHTLS environment variable enables implementation of explicit FTP/TLS without the need to change the SAS code to add the new FILENAME FTP statement options (AUTHTLS, PROT=, or PBSZ=).
In UNIX and z/OS operating environments, if you use the SAS_FTP_AUTHTLS environment variable and you do not specify the following options, basic FTP authentication is attempted:
- AUTHTLS
- PROT=
- PBSZ=
- SSLCALISTLOC=
If the SSLCALISTLOC= system option is specified, TLS authentication is enforced if the FTP server accepts it.
In a Windows operating environment, if you do not specify the AUTHTLS, PROT=, or PBSZ= options in the FILENAME FTP statement, TLS authentication is attempted. If TLS authentication is not allowed on the FTP server, basic FTP authentication is attempted.
Choosing the SAS_FTP_AUTHTLS Environment Variable Value
The following are acceptable SAS_FTP_AUTHTLS values:
- -set SAS_FTP_AUTHTLS 0: This value is the default. This value uses the FILENAME FTP statement options to determine TLS security. Therefore, the use of this value is similar to running without the SAS_FTP_AUTHTLS environment variable.
- -set SAS_FTP_AUTHTLS 1: Enforces TLS authentication. If security authorization fails, an error is returned.
- -set SAS_FTP_AUTHTLS 2: Enforces TLS authentication if you specify the AUTHTLS, PROT=, or PBSZ= option in the FILENAME FTP statement.
- -set SAS_FTP_AUTHTLS 3: Enforces TLS authentication and returns the following note to the SAS log: The security type of TLS is being enforced for Filename FTP execution. If security authorization fails, an error is returned.
Setting the SAS_FTP_AUTHTLS Environment Variable
The SAS_FTP_AUTHTLS environment variable can be set in an OPTIONS statement, in a SAS configuration file, or at SAS invocation. To set the SAS_FTP_AUTHTLS environment variable:
- in an OPTIONS statement:
options set=SAS_FTP_AUTHTLS="1";
- at SAS invocation or in a SAS configuration file:
-set SAS_FTP_AUTHTLS 1
Additional Information
For more details about the FILENAME FTP statement and the SAS_FTP_AUTHTLS environment variable, see these documents:
- FILENAME Statement, FTP Access Method section of the SAS® 9.4 Statements Reference, Fourth Edition
- SAS_FTP_AUTHTLS Environment Variable section of the SAS® 9.4 Statements: Reference, Fourth Edition
If you are not sure whether your site is using Implicit FTP or Explicit FTP, refer to SAS Note 66492, "FILENAME FTP(FTP/TLS) fails with "ERROR: The connection was reset by a peer" due to using implicit FTP/TLS."
For more details about TLS and Certificates, see the Certificates Explained section of the Encryption in SAS® 9.4, Fifth Edition.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | Base SAS | 64-bit Enabled AIX | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 |
| Windows 7 Ultimate x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Ultimate 32 bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Professional x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Professional 32 bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Home Premium x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Home Premium 32 bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Enterprise x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Windows 7 Enterprise 32 bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2012 Std | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2012 R2 Std | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2012 Datacenter | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2008 for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2008 R2 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows Server 2008 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8.1 Pro 32-bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8.1 Pro | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8.1 Enterprise x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8 Pro x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8 Pro 32-bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8 Enterprise x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft Windows 8 Enterprise 32-bit | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Microsoft® Windows® for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Z64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| z/OS | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| 64-bit Enabled Solaris | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| HP-UX IPF | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Linux for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||
| Solaris for x64 | 9.4_M2 | 9.4_M3 | 9.4 TS1M2 | 9.4 TS1M3 | ||