SAS® 9.4M8 (TS1M8) under z/OS uses IBM System SSL for SSL/TLS encryption and can no longer use the SAS shipped trustedcerts.pem file


Beginning in SAS 9.4M8 under z/OS, SAS uses IBM System SSL for SSL/TLS encryption and can no longer use the SAS shipped trustedcerts.pem file.  

In SAS® 9.4M3 (TS1M3) through SAS® 9.4M7 (TS1M7), SAS shipped the Mozilla trusted CA bundle in the trustedcerts.pem file and the SAS option SSLCALISTLOC= was set to point to this trustedcerts.pem file. SAS 9.4M8 under z/OS can only use a key database file (.kdb) or PKCS#12 file (.p12).

You could use the SAS® Deployment Manager in earlier SAS 9.4 maintenance releases to add or remove TLS certificates, but you cannot use it to add or remove certificates for SAS 9.4M8 under z/OS.

You can use the IBM utility gskkyman to create your own .kdb file or you can download the key database and stash files (trustedcerts.kdb and trustedcerts.sth) that are equivalent to the trustedcerts.pem file from the Downloads section.


Implement the Trustedcerts Key Database and Stash Files for SAS under z/OS

1. Download the trustedcerts.kdb and trustedcerts.sth files from the Downloads section.  

   Note: The trustedcerts.sth file is the stash file that contains the password for the trustedcerts.kdb file.

2. Move the trustedcerts.kdb and trustedcerts.sth files over to z/OS in binary. You can store them in any USS (Unix System Services) location but SAS recommends that you store them in the same directory as the trustedcerts.pem file that was used in earlier SAS 9.4 releases:

<SASHOME>/SASSecurityCertificateFramework/1.1/cacerts/ 

Note: The downloaded trustedcerts.kdb and trustedcerts.sth files are ebcdic files and need to remain that way.

3. <optional> Change password for trustedcerts.kdb.
   Use the IBM utility gskkyman in Unix System Services (USS) to change password for trustedcerts.kdb.
   Note: The current password in trustedcerts.sth file as downloaded is "SECRET".

  /* Interactive mode */
     $  cd <SASHOME>/SSCF/1.1/cacerts/    /* or the path where trustedcerts.kdb and .sth are stored */
     $  gskkyman
         option 3 - "Change database password" for trustedcerts.kdb
                         
  /* CLI (command line interface) and you will be prompted for new password */
     $  cd <SASHOME>/SSCF/1.1/cacerts/    /* or the path where trustedcerts.kdb and .sth are stored */
     $  gskkyman -s -k trustedcerts.kdb 


4.  Set the following z/OS SAS options in the '<SASprefix>.CONFIG(SITE)' CONFIG file:
     SSLKEYRINGFILE=<SASHOME>/SSCF/1.1/cacerts/trustedcerts.kdb
     SSLKEYRINGSTASHFILE=<SASHOME>/SSCF/1.1/cacerts/trustedcerts.sth

 

See SAS System Options Used for IBM z/OS System SSL with SAS 9.4M8 for details about the new SAS options.


Add Additional CA Certificates to the Trustedcerts.kdb File

1. Since gskkyman accepts .p12 and not .pem files, you might need to convert an additional CA certificate to the PKCS #12 format using OpenSSL.
    Here is an example command to convert a .pem file to PKCS #12 format using OpenSSL:       

   $   openssl pkcs12 -export -in xxxxx.pem -out xxxxx.p12 -nokeys -password yyyyyy 

       The resulting xxxxx.p12 file is an ASCII file.
       Note: Make sure that you provide an export password because gskkyman under z/OS does not import if you just press Enter.

2. If needed, move the .p12 ASCII file that you created in step 1 to the z/OS machine in binary in the <SASHOME>/SSCF/1.1/cacerts/ directory. ​​​​​​
    Note: This step is not needed if you did step 1 on a z/OS machine.

3. Make a backup copy of the trustedcerts.kdb and trustedcerts.sth files.
 
4. Use the IBM utility gskkyman from USS to import the xxxxx.p12 CA certificate into trustedcerts.kdb:

/*  interactive mode */
     $  cd <SASHOME>/SSCF/1.1/cacerts/
     $  gskkyman
         option 2 - open  trustedcerts.kdb  
         option 8 - import "certificate and key"           /*  do not use option 7 for .p12 files */

     /* CLI (command line interface) mode */
     $  cd <SASHOME>/SSCF/1.1/cacerts/
     $  gskkyman -i -k trustedcerts.kdb -l <label for imported cert> -p xxxxx.p12      /* where xxxxx.p12 is from #2 */  

        Note: If the label contains any blanks or special characters, enclose it in double quotation marks.

 

5. To check the .kdb file and verify that the certs were added properly, run the following:

     $ gskkyman -dc -k trustedcerts.kdb > xxxxxxxxx   /*where xxxxxxxx is some file name.
     $ obrowse xxxxxxxx

Alternatively, you can use the gskkyman option 2, Manage certificates, which lists all certificates in .kdb.

Set Up SSL/TLS for a SAS Type Server or Spawner under z/OS

The SAS type server/spawner needs the private/public and CA certificate for the host where the SAS server/spawner executes. Before SAS 9.4M8, you could set SAS options to point to different locations for the private/public and CA certs. Beginning in SAS 9.4M8, the private/public and CA certificates (and any intermediate CA certs) must be stored in the same .kdb file. You also need to set the following SAS options:

SSLKEYRINGFILE=<SASHOME>/SSCF/1.1/cacerts/trustedcerts.kdb
SSLKEYRINGSTASHFILE=<SASHOME>/SSCF/1.1/cacerts/trustedcerts.sth
/* or can use SSLKEYRINGPW=  */

Note: You can also set the SAS option SSLKEYRINGFILE parm/option to the PKCS#12 package file.

Downloads

Right-click the trustedcerts.sth file, select Save link as from the context menu, browse to the location where you want to save the file, and click Save.

Right-click the trustedcerts.kdb file, select Save link as from the context menu, browse to the location where you want to save the file, and click Save.