Starting at SAS^® 9.4M9, the NETENCRYPTALGORITHM (NETENCRALG) system option values AES, DES, RC2, RC4, and TripleDES will be deprecated (support for implementing dropped). SAS understands that this change could be disruptive. To allow customers time to accommodate this transition, the ability to use these system option values will not be removed until the first half of 2026.

Deprecation Plan

The eventual removal of these option values will be accomplished in multiple phases. Customers who are using older platform releases need to plan and start to move away from using these NETENCRYTPALGORITHM values.

In the SAS 9.4M9 release, these less secure NETENCRYPTALGORITHM (NETENCRALG) option values are available. However, support to configure SAS using these values in the SAS^® Deployment Wizard (SDW) will be removed. You will still be able to manually configure these NETENCRALG values as a post-installation task.

Preparation for Deprecation

Sites using the SAS option NETENCRYPTALGORITHM (NETENCRALG) for AES, DES, RC2, RC4, and TripleDES should proactively move to using TLS/SSL.

The NETENCRYPTALGORITHM parameter allows for multiple algorithms to be used. So, you can use TLS/SSL concurrently with existing algorithms during any transition period.

Here is an example: -netencryptalgorithm '(AES SSL)'

Messages

To prepare for this change, the following note and/or warning message (depending on the release of SAS or SAS Viya used) will soon be issued when the use of these system option values is detected.

Note:   ERROR:  SAS is deprecating NETENCRYPTALGORITHM (NETENCRALG) system option values AES, DES, RC2, RC4, and TripleDES in a future release. Change the option value to SSL to specify the use of the TLS protocol.

WARNING: SAS is deprecating NETENCRYPTALGORITHM (NETENCRALG) system option values AES, DES, RC2, RC4, and TripleDES in a future release. Change the option value to SSL to specify the use of the TLS protocol.

These warning and note messages are generated beginning in the SAS^® 9.4M9 (TS1M9) release and also delivered with hot fixes and patches for SAS^® 9.4M8 (TS1M8), SAS^® 9.4M7 (TS1M7), SAS^® Viya^® 3.5, and SAS^® Viya^® platform LTS releases.

Disable the Note/Warning

To disable the warning message in SAS 9.4M9 and SAS Viya and to change the "Note: ERROR" text to just a "Note:", specify the following environment variable:

ACCEPT_RISK_AND_ALLOW_INSECURE_HANDSHAKE

Support for this environment variable will be added when the above Note/Warning messages are implemented.

For details about how to set a SAS environment variable, refer to the SAS Companion for the operating system being used or the SAS Viya Administration guide.

The SAS^® System Evaluation Tool in SAS^®9 Content Assessment will also detect the use of NETENCRYPTALGORITHM (NETENCRALG) system option values AES, DES, RC2, RC4, and TripleDES in SAS 9.4 environments and present the warning. This warning is to prepare for completely removing these option values in a future SAS^®9 maintenance and SAS Viya releases. 

Resources

• TLS Support for IOM Servers
• Encryption Starting with SAS 9.4M8
• Configure TLS, FIPS, and Certificates
• SAS System Options for Encryption
• ACCEPT_RISK_ALLOW_INSECURE_HANDSHAKE Environment Variable 
• SAS Communities article: Changes to the NETENCRYPTALGORITHM (NETENCRALG) SAS system option
• SAS 9.4 Companion  for Operating Systems
• SAS Viya Administration

Hot Fix

The hot fix for this issue will implement the changes described in this article.