BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
jklaverstijn
Rhodochrosite | Level 12

Hi,

 

We have an internal https web service that is failing basic security tests. It employs a self-signed certificate that, to make things worse, uses the server name "server". The CA is not within our own domain.

 

Still, I need to pull data from that service. The original application used cURL for that and I am in the process of SAS-ifying it. cURL has the option -k that allows it to ignore security warnings about the certificates.

 

From the cURL man page:

 

-k, --insecure

(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

 

When I use proc HTTP, advertised as the SAS equivalent to cURL, I see no way of straightforwardly ignoring any certificate errors or warnings. And yes, I know I shouldn't. Let's not get there. It's complicated 😉

 

it looks my only alternative is the import of these insecure certs and adding the ghastly hostname "server" to my DNS resolution scheme. As this will be only temporarily, I am not in favor of that approach.

 

Does proc HTTP have an equivalent to that -k option that I have overlooked? Is there any alternative approach?

 

Cheers Jan.

1 ACCEPTED SOLUTION

Accepted Solutions
SimonDawson
SAS Employee

Suppose I could just answer this for the more common deployments out there. Since you mention the existing use of cURL I imagine this is Linux or some UNIX derivative. So for SAS 9.4 or later on UNIX/Linux you will be able to set the SSLREQCERT= System Option appropriately and it should be all good. Remember to set the option back after you are finished fetching the resource from the server with a self-signed certificate. This option is an invocation option. No TLS connections will be validated by the SAS session if you launch it so be careful with this.

 

For those using SAS 9.4 on Microsoft Windows the TLS communication is handled by using facilities provided in the operating system. Myself I don't know or use of Windows so I'd not be sure about what tunables are available in Windows to control how certificate validation is handled. Perhaps Windows has some way you can add exceptions into the Windows validation process for certain connections/process/users etc. Something to ask your Microsoft Windows admins about.

 

 

For any version of SAS 9.3 or older there is no way I can think to do this.

 

EDIT: warn about the option affecting all TLS communication if its set.

View solution in original post

10 REPLIES 10
SimonDawson
SAS Employee
The implementation of the SAS HTTP procedure changed alot over the course of the various SAS versions. Which SAS version and maintence release are you using?
jklaverstijn
Rhodochrosite | Level 12
Hi Simon,

This is 9.4M4 on RHEL 7.

Kind regards,
-Jan.
SimonDawson
SAS Employee

Suppose I could just answer this for the more common deployments out there. Since you mention the existing use of cURL I imagine this is Linux or some UNIX derivative. So for SAS 9.4 or later on UNIX/Linux you will be able to set the SSLREQCERT= System Option appropriately and it should be all good. Remember to set the option back after you are finished fetching the resource from the server with a self-signed certificate. This option is an invocation option. No TLS connections will be validated by the SAS session if you launch it so be careful with this.

 

For those using SAS 9.4 on Microsoft Windows the TLS communication is handled by using facilities provided in the operating system. Myself I don't know or use of Windows so I'd not be sure about what tunables are available in Windows to control how certificate validation is handled. Perhaps Windows has some way you can add exceptions into the Windows validation process for certain connections/process/users etc. Something to ask your Microsoft Windows admins about.

 

 

For any version of SAS 9.3 or older there is no way I can think to do this.

 

EDIT: warn about the option affecting all TLS communication if its set.

nhvdwalt
Barite | Level 11

Thanks @SimonDawson

 

Do you know in what version this option was introduced ? I'm not finding it in my 9.4 deployment.

jklaverstijn
Rhodochrosite | Level 12

Ha yes when I checked this in 9.4M4 it turned out that SSLREQCERT is not yet  available. I hope @SimonDawson can shed some light on this.

SimonDawson
SAS Employee

I'll updated my post to make it clear this is an option introduced in SAS 9.4M4. Thanks for letting me know. Looks like 9.4 M3 or earlier there isn't anything available.

 

I initially thought this was an option that might have been introduced in M5 because I got an error setting the SAS option in SAS 9.4 M4 on Linux. Reread the documentation and now I note its a shell environment variable not a SAS option. From what I read it was introduced in SAS 9.4 M0.

jklaverstijn
Rhodochrosite | Level 12

Hi Simon,

 

Thanks. That is certainly what I was looking for. The global nature of this options however can pose a challenge. We would like to restrict this as much as possible. This is large scale a government environment where encryption is serious business and we must move carefully. Maybe grid options sets can come to the rescue. 

 

Many thanks! I can take it from here.

 

Regards,

- Jan.

 

 

SimonDawson
SAS Employee

Its an environment variable. I'll see if I can make this clearer int he documentation.

Note the example uses export. This isn't a SAS system option, its a shell environment variable that is checked by the software.

 

Sorry for any confusion caused.

jklaverstijn
Rhodochrosite | Level 12

Hi @SimonDawson,

 

Is it too much to ask for implementation as an option instead, making the implementation conform to the doc instead of the other way around? It would make it easier for us to support as we are keeping 7 grids in the air. If not all (SSL) options show up in a proc options that would make things harder. It's these small things that matter when every effort is multiplied by seven.

 

Also, my testing shows SSLREQCERT working in 9.4M5 but not in M4. Our grids still run M4. But that would have to be confirmed by independent testing.

 

Regards,

- Jan.

NMad
Fluorite | Level 6

I would ask for a procedure option, like -k on curl command.

 

Kind regards

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 10 replies
  • 7508 views
  • 6 likes
  • 4 in conversation