What's New in Encryption in SAS 9.4

For software delivery purposes, SAS/SECURE is a product within the SAS System. In SAS 9.4, SAS/SECURE is included with the Base SAS software. In prior releases, SAS/SECURE was an add-on product that was licensed separately. This change makes strong encryption available in all deployments (except where prohibited by import restrictions).

If you use SAS/SECURE, you can use a new encoding type for stored passwords, SAS004 (uses AES encryption with 64-bit salt). The salt size was increased to 64 bits to comply with the minimum recommended salt size for PKCS #5 v2.0: Password-Based Cryptography Standard, http://www.rsa.com/rsalabs/node.asp?id=2127. See Technologies for Encryption and PWENCODE Procedure.

If you use SAS/SECURE, you can use an industry standard algorithm (AES) to encrypt SAS data on disk. For more information, see ENCRYPT= Data Set Option in SAS Data Set Options: Reference and SAS Data File Encryption in SAS Language Reference: Concepts.

The SAS Logging Facility now supports full logging and debugging of the SAS/CONNECT spawner operations. See LOGCONFIGLOC= System Option in SAS Logging: Configuration and Programming Reference for detailed information.

The SAS Logging Facility now supports full logging and debugging of encryption activity. See LOGCONFIGLOC= System Option in SAS Logging: Configuration and Programming Reference for system option information. For information about security loggers, see Encryption: SAS Logging Facility.

In the first maintenance release and the second maintenance release for SAS 9.4, for TLS encryption, SAS sets the default location of the Certificate Authority (CA) trust list to SAS-configuration-directory/levn/certs/cacert.pem for UNIX and z/OS foundation servers. This default location is specified by the SSLCALISTLOC= option in configuration files. For more information, see SSLCALISTLOC= System Option.

In the third maintenance release of SAS 9.4, trusted certificates are located in the trustedcerts.pem file. The SSLCALISTLOC= system option points to the trustedcerts.pem file by default. This file is located in <SASHome>/SASSecurityCertificateFramework/1.1/cacerts/. The SSLCALISTLOC= system option and new location are automatically added at SAS installation.

Environment variables SSL_CERT_DIR and SSLCACERTDIR can also be used to point to the location of certificates. These environment variables are supported on UNIX and z/OS and support logging.

Starting in the first maintenance release for SAS 9.4, UNIX and z/OS clients and servers now support Server Name Indication (SNI) and Subject Alternative Names (SAN) in TLS. The client uses SNI in the TLS handshake to tell the server which server name it is trying to connect to. SANs are used in TLS certificates. For information, see SSL_USE_SNI Environment Variable.

In the third maintenance release of SAS 9.4, two new environment variables are available: SAS_SSL_MIN_PROTOCOL, supported on UNIX, Windows, and z/OS, and SAS_SSL_CIPHER_LIST, supported on UNIX and z/OS. For more information, see SAS_SSL_MIN_PROTOCOL Environment Variable and SAS_SSL_CIPHER_LIST Environment Variable.

On a Windows server or client, the user can import digital certificates to a Machine Store as well as to a Personal Store. See TLS on Windows: Setting Up Digital Certificates .

In the third maintenance release of SAS 9.4, the SAS Deployment Manager can be used to automate the process of updating the list of trusted CA Certificates. At installation, a list of trusted CA certificates that are distributed by Mozilla is installed and SAS products are automatically configured to use this. The SAS Deployment Manager is used to manage the trusted CA bundle (provided by SAS) for all hosts. The trustedcerts.pem and trustedcerts.jks files are both updated. On Windows, the SAS Deployment Manager tasks manage the Java version of the trusted CA bundle, on UNIX, the SAS Deployment Manager task updates the trustedcerts.pem and the trustedcerts.jks files, and on z/OS, the SAS Deployment Manager tasks update the trustedcerts.pem file.

In the third maintenance release of SAS 9.4, information has been added about setting the FIPS security settings on a Windows server. See TLS on Windows: FIPS 140-2 Capable OpenSSL .

In the third maintenance release of SAS 9.4, information about setting up a FIPS-2 environment on UNIX has been updated in the SAS Deployment Wizard. For specific information, see SAS® Deployment Wizard and SAS® Deployment Manager 9.4: User's Guide. For information about FIPS in this document, see FIPS 140-2 Standards Compliance, TLS: FIPS 140-2 Compliant Installation and Configuration, and TLS on UNIX: Building FIPS 140-2 Capable OpenSSL .

In the fourth maintenance release of SAS 9.4, the OpenSSL libraries provided by SAS have been updated. For SAS 9.4 and all maintenance releases of SAS 9.4, updated versions of OpenSSL for UNIX and z/OS are provided and updated through hot fixes. See the SAS Security Bulletin on OpenSSL for the most current information about the versions of OpenSSL used in SAS products and about the advisories under consideration.