How to Change Over-the-Wire Encryption Settings for SAS Servers

Automatic Configuration

When you install the metadata server, you select an encryption level (which traffic content is encrypted) and an encryption algorithm (how that traffic is encrypted). The settings that you select for the metadata server are applied to all SAS servers. SAS clients usually don't specify encryption settings; they simply conform to the requirements of the servers.
CAUTION:
In the SAS Deployment Wizard, all algorithms are listed regardless of whether you have SAS/SECURE. Do not select a value other than SASProprietary unless you have licensed SAS/SECURE on all SAS server machines.

Instructions for Post-Installation Changes

If you need to change over-the-wire encryption settings after installation is complete, use the following instructions.
  1. Update server configuration files as follows:
    1. In the operating system that hosts the metadata server, navigate to your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/.
      • To change the algorithm, add the NETENCRALG setting that you need to the sasv9_usermods.cfg file.
      • To change the encryption level, copy the entire OBJECTSERVERPARMS line from the sasv9.cfg file into the sasv9_usermods.cfg file. Then edit the CEL value in the usermods version of the file.
      For example, to encrypt all traffic with AES, add these lines:
      -netencralg "AES"
      -objectserverparms "cel=everything  {other-parameters}"
      On z/OS, exclude the initial hyphens and add equal signs as follows:
      netencralg="AES"
      objectserverparms="cel=everything  {other-parameters}"
      Note: Do not specify a NETENCRALG value other than SASProprietary unless you have licensed SAS/SECURE on all SAS server machines.
    2. (Optional) If your deployment offers direct connections from clients to the OLAP server, make the same updates to that server's configuration file.
      Note: The OLAP server's configuration file is in your equivalent of SAS/Config/Lev1/SASApp/OLAPServer/.
  2. Update server metadata definitions as follows:
    1. In SAS Management Console, under Server Manager, select the metadata server's definition icon .
      Note: To get to the server definition, you must expand the application server node icon and the logical server node icon .
    2. Right-click the first connection object icon , and select Properties.
    3. In the Connection dialog box, select the Options tab and click Advanced Options. Adjust the settings as necessary.
    4. In the Advanced Options dialog box, select the Encryption tab.
      Note: Do not select a value other than SASProprietary unless you have licensed SAS/SECURE on all SAS server machines.
    Repeat the preceding steps for each server that is launched by the object spawner (the stored process server, the workspace server, and the pooled workspace server).
  3. Stop, restart, and validate the servers.
Tip
Only those components that can conform to a server’s encryption requirements are able to connect to that server. Additional configuration might be necessary to make SAS/SECURE available to other components such as SAS Remote Services or the SAS Framework Data Server, so that they can connect. SAS/SECURE is documented in Encryption in SAS.

Details about NETENCRALG and CEL

On direct connections, encryption is governed by the server's invocation command. Here are details and some examples:
Note: On z/OS, the following syntax examples are slightly different. See step 1a in the preceding topic.
NETENCRALG (network encryption algorithm)
is a SAS system option. The NETENCRALG setting that is defined for the metadata server during installation is in the metadata server's sasv9.cfg file.
  • If you accept the default encryption settings during installation, the configuration file includes this line:
    -netencralg "SASProprietary"
  • If you have licensed SAS/SECURE and selected the AES algorithm during installation, the setting in the metadata server's sasv9.cfg file is as follows:
    -netencralg "AES"
  • If a different NETENCRALG setting has been added to the metadata server's sasv9_usermods.cfg file, that setting has priority.
  • Other supported values for NETENCRALG are DES, TripleDES, RC4, and RC2. However, if you haven't licensed SAS/SECURE, only SASProprietary is supported.
CEL (client encryption level)
is a parameter in the OBJECTSERVERPARMS SAS system option. The CEL setting that is defined for the metadata server during installation is in the metadata server's sasv9.cfg file.
  • If you accept the default encryption settings during installation, the configuration file includes this line:
    -objectserverparms "cel=credentials  {other-parameters}"
  • If, during installation, you selected the option to encrypt all traffic, the setting in the metadata server's sasv9.cfg file is as follows:
    -objectserverparms "cel=everything {other-parameters}"
  • If a different CEL setting has been added to the metadata server's sasv9_usermods.cfg file, that setting has priority.
It isn't necessary to specify encryption settings in the invocation command for every component for the following reasons:
  • Encryption algorithm and level are negotiated between each pair of communicating components. For example, when the OLAP server and object spawner initialize, they contact the metadata server and conform to the metadata server's encryption settings. The same negotiation occurs when a client application contacts a server.
  • For spawned servers (the stored process server, the pooled workspace server, and the workspace server), encryption is determined by metadata settings, not by a server invocation command.