TLS for a SAS/CONNECT Windows Spawner: Example

Start-up of a Windows Spawner on a Single-User SAS/CONNECT Server

Connection of a SAS/CONNECT Client to a Windows Spawner on a SAS/CONNECT Server

Start-up of a Windows Spawner on a Single-User SAS/CONNECT Server

After digital certificates for the CA, the server, and the client have been generated and imported into the appropriate Certificate Store, you can start a spawner program that runs on a server that SAS/CONNECT clients connect to.

Here is an example of how to start a Windows spawner on a SAS/CONNECT server. From <SASHome>\SASFoundation\9.4, execute the following command:

cntspawn -install -netencryptalgorithm ssl -sslcertsubj "apex.pc.com" 
-sascmd mysas.bat -servuser userid -servpass password

The following table shows the SAS commands that are used to start a spawner on a SAS/CONNECT single-user server.

SAS Commands and Arguments for Spawner Start-Up Tasks
SAS Command and Arguments	Function
CNTSPAWN	Starts the spawner.
-INSTALL	Causes an instance of a spawner to be installed as a Windows service. For information about the -INSTALL option, see Spawner Options in SAS/CONNECT User’s Guide.
-NETENCRYPTALGORITHM SSL	Specifies the SSL encryption algorithm.
-SSLCERTSUBJ "apex.pc.com"	Specifies the subject name that is used to search for a certificate from the Microsoft Certificate Store.
-SASCMD mysas.bat	Specifies the name of an executable file that starts a SAS session when you sign on without a script file.
-SERVUSER user-ID	Specifies the user-ID to be used to start the spawner and to obtain a digital certificate. The -SERVUSER and -SERVPASS options are used together and must be specified when the spawner is installed as a service (the -INSTALL option is specified). For information about the -SERVUSER option, see Spawner Options in SAS/CONNECT User’s Guide.
-SERVPASS password	Specifies the password to be used to start the spawner and to obtain a digital certificate. The -SERVUSER and -SERVPASS options are used together and must be specified when the spawner is installed as a service (the -INSTALL option is specified). For information about the -SERVPASS option, see Spawner Options in SAS/CONNECT User’s Guide.

In order for the Windows spawner to locate the appropriate server digital certificate in the Microsoft Certificate Store, you must specify the -SSLCERTSUBJ system option in the script that is specified by the -SASCMD option. -SSLCERTSUBJ specifies the subject name of the digital certificate that TLS should use. The subject that is assigned to the -SSLCERTSUBJ option and the computer that is specified in the client sign-on must be identical.

Note: You can also use the SSLCERTISS= and SSLCERTSERIAL= options instead of the SSLCERTSUBJ= option to identify a digital certificate.

If the Windows spawner is started as a service, the -SERVPASS and -SERVUSER options must also be specified in the Windows spawner start-up command in order for TLS to locate the appropriate CA digital certificate.

For complete information about starting a Windows spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a Windows Spawner on a SAS/CONNECT Server

After a spawner has been started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.

Here is an example of how to make a client connection to a Windows spawner that is running on a SAS/CONNECT server:

options netencryptalgorithm=ssl;
%let machine=apex.pc.com;
signon machine.unxspawn user=_prompt_;

The computer that is specified in the client sign-on and the subject (the -SSLCERTSUBJ option) that is specified at the server must be identical.

The following table shows the SAS options that are used to connect to a Windows spawner that runs on a SAS/CONNECT server.

SAS Options, Statements, and Arguments for Client Access to a SAS/CONNECT Server
SAS Options, Statements, and Arguments	Function
NETENCRYPTALGORITHM=SSL	Specifies the encryption algorithm
SIGNON=server-ID	Specifies which server to connect to
USER=_PROMPT_	Prompts for the user ID and password to be used for authenticating the client to the server

The server-ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.