Starting
in the third maintenance release of SAS 9.4, a bundle of root digital certificates is provided to get
TLS up and working at SAS installation. SAS provides a bundle of certificates from Mozilla
that can be used as the default trust provider when you are setting up protocols such
as TLS. When providing your own signed certificates, you must add the CA root and
intermediate certificates to the trusted CA bundle using the SAS Deployment Manager.
See
Add Your Certificates to the Trusted CA Bundle.
You will also need to
add your self-signed certificates to the trusted CA bundle.
Note: In the
second maintenance release for SAS 9.4 and earlier, when
providing your own signed certificates, you must add the CA root and
intermediate certificates to the SAS Private JRE using the Java
keytool
-importcert command. See
Add Your Certificates to the SAS Private JRE.
Note: Regardless of your release
of SAS 9.4, on Windows, when providing your own signed certificates,
you must add the CA root and intermediate certificates to the Windows
certificates stores
using the Windows Certificates Snap-in. See
Add Your Certificates to the Windows CA Stores.
The Mozilla bundle of
CA certificates (root certificates) is used to create two new files,
the trustedcerts.pem file and the trustedcerts.jks file (used by Java
apps). Initially, these files contain only a list of root certificates
that have been approved by Mozilla for inclusion in Network Security
Services (NSS). These files are updated each time the SAS Deployment
Manager add and remove certificates tasks are performed.
When you use the SAS
Deployment Manager task to add custom CA certificates, your certificates
are added to the trustedcerts.pem and trustedcerts.jks files. The
trustedcerts.jks is copied to the jssecacerts file in the SAS Private
JRE on Windows and UNIX hosts. After you add files using the SAS Deployment
Manager, the three files contain the CA certificates redistributed
by SAS from Mozilla as well as the certificates that you just added.
The same process occurs when the SAS Deployment Manager task to used
to remove the same custom CA certificates. The three files are regenerated.
All three files (trustedcerts.pem, trustedcerts.jks, and jssecacerts)
are kept in sync using the SAS Deployment Manager tasks. Refer to
the SAS Deployment Wizard and SAS Deployment Manager 9.4:
User's Guide for a detailed discussion of these files
and the tasks to add and remove certificates.
When the initial installation
of SAS Software is complete on UNIX and z/OS platforms, the SSLCALISTLOC
option is set by default to point to the trustedcerts.pem file.
Note: THE SSLCALISTLOC option should
not be overridden or changed unless directed by technical support.
In addition, the trustedcerts.pem file should not be altered by any
means other than by using the new SAS Deployment Manager add and remove
certificate tasks. If the file is changed by another means, the provided
trusted CA bundle might not be supported and maintenance of those
changes is not guaranteed.
CAUTION:
Do not remove any of
the CA certificates that were initially included as part of the Mozilla
CA Bundle.