SAS/CONNECT User's Guide

Options

Note: These options do not apply to hosts that use the RSA BSAFE Crypto-J Toolkit. For Java client options, see other documentation (such as the documentation about the SAS/CONNECT Driver for Java that is provided with the SAS/IntrNet software). [cautionend]

For hosts that use the RSA BSAFE Crypto-C Toolkit or the Microsoft CryptoAPI, here are the SAS options that set encryption services attributes.

NETENCRYPT = YES | NO or NETENCRYPT | NONETENCRYPT

Set this option at both the local and remote hosts. At the remote host, this option specifies that encryption is required for each connection from a local host SAS session. At the local side, this option specifies that the local host must connect only to a remote host that supports encryption.

By default, encryption is used if the NETENCRYPTALGORITHM= option is set and if both the local and remote sides are capable of encryption. If encryption algorithms were specified but either the local or the remote side is incapable of encryption, then encryption is not performed.

Encryption may not be supported at the local or at the remote host for these reasons:

You are running a release of SAS (prior to Version 7) that does not support encryption.
Your site has not purchased a SAS/SECURE license for a specific platform.
You specified incompatible encryption algorithms in the local and the remote host SAS sessions.
You do not have a cryptographic service provider installed.

NETENCRYPTALGORITHM=("algorithm1", "algorithm2", ...)

If you specify more than one algorithm, enclose the algorithm names in parenthesis and use commas to separate them. If there are embedded blanks in the algorithm name, enclose each algorithm with quotation marks.

The alias is NETENCRALG.

Set this option at the remote host and, optionally, at the local host to specify one or more encryption algorithms to use in a SAS session. However, the local and remote hosts must share an encryption algorithm in common. If you specify the option in the remote host session only, the local side attempts to select an algorithm that was specified at the remote host. If you also set the option at the local host and specify an algorithm that is not specified at the remote host, the attempt by the local host to connect to that remote host fails.

Valid values for this option are

RC2

RC4

DES

TripleDES

SASProprietary

NETENCRYPTKEYLEN = n

Set this option in either the local or the remote host SAS session. It specifies the key length to be used by the encryption algorithm.

The alias is NETENCRKEY.

Valid values for this option are

128 specifies 1024-bit RSA and 128-bit RC2 and RC4 key algorithms.

40 specifies 512-bit RSA and 40-bit RC2 and RC4 key algorithms.

0 no value is set. This is the default.

If you require extra security, set NETENCRYPTKEYLEN=128. If you want to save CPU, set NETENCRYPTKEYLEN=40.

By default, if you try to connect a host that is capable of only a 40-bit key algorithm with a host that is capable of both 40-bit and 128-bit, the connection using the lesser of the two key lengths is used. If both hosts are capable of 128-bit, then 128-bit is used. To explicitly set one or the other, set the NETENCRYPTKEYLEN SAS option.

NETMAC | NONETMAC

This option controls the use of Message Authentication Codes (MACs) on network communications. A Message Authentication Code is the equivalent of a checksum that is used to ensure that the original message has not been modified. The MAC integrity checking adds an extra 16 bytes to RC4 encrypted messages and an extra 24 bytes to RC2, DES, and TripleDES encrypted messages.

You set this option at either the local or the remote host. The default is NETMAC.

Chapter Contents
Previous
Next
Top of Page

128	specifies 1024-bit RSA and 128-bit RC2 and RC4 key algorithms.
40	specifies 512-bit RSA and 40-bit RC2 and RC4 key algorithms.
0	no value is set. This is the default.