Hi,
We have an internal https web service that is failing basic security tests. It employs a self-signed certificate that, to make things worse, uses the server name "server". The CA is not within our own domain.
Still, I need to pull data from that service. The original application used cURL for that and I am in the process of SAS-ifying it. cURL has the option -k that allows it to ignore security warnings about the certificates.
From the cURL man page:
-k, --insecure
(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.
When I use proc HTTP, advertised as the SAS equivalent to cURL, I see no way of straightforwardly ignoring any certificate errors or warnings. And yes, I know I shouldn't. Let's not get there. It's complicated 😉
it looks my only alternative is the import of these insecure certs and adding the ghastly hostname "server" to my DNS resolution scheme. As this will be only temporarily, I am not in favor of that approach.
Does proc HTTP have an equivalent to that -k option that I have overlooked? Is there any alternative approach?
Cheers Jan.
Suppose I could just answer this for the more common deployments out there. Since you mention the existing use of cURL I imagine this is Linux or some UNIX derivative. So for SAS 9.4 or later on UNIX/Linux you will be able to set the SSLREQCERT= System Option appropriately and it should be all good. Remember to set the option back after you are finished fetching the resource from the server with a self-signed certificate. This option is an invocation option. No TLS connections will be validated by the SAS session if you launch it so be careful with this.
For those using SAS 9.4 on Microsoft Windows the TLS communication is handled by using facilities provided in the operating system. Myself I don't know or use of Windows so I'd not be sure about what tunables are available in Windows to control how certificate validation is handled. Perhaps Windows has some way you can add exceptions into the Windows validation process for certain connections/process/users etc. Something to ask your Microsoft Windows admins about.
For any version of SAS 9.3 or older there is no way I can think to do this.
EDIT: warn about the option affecting all TLS communication if its set.
Suppose I could just answer this for the more common deployments out there. Since you mention the existing use of cURL I imagine this is Linux or some UNIX derivative. So for SAS 9.4 or later on UNIX/Linux you will be able to set the SSLREQCERT= System Option appropriately and it should be all good. Remember to set the option back after you are finished fetching the resource from the server with a self-signed certificate. This option is an invocation option. No TLS connections will be validated by the SAS session if you launch it so be careful with this.
For those using SAS 9.4 on Microsoft Windows the TLS communication is handled by using facilities provided in the operating system. Myself I don't know or use of Windows so I'd not be sure about what tunables are available in Windows to control how certificate validation is handled. Perhaps Windows has some way you can add exceptions into the Windows validation process for certain connections/process/users etc. Something to ask your Microsoft Windows admins about.
For any version of SAS 9.3 or older there is no way I can think to do this.
EDIT: warn about the option affecting all TLS communication if its set.
Thanks @SimonDawson
Do you know in what version this option was introduced ? I'm not finding it in my 9.4 deployment.
Ha yes when I checked this in 9.4M4 it turned out that SSLREQCERT is not yet available. I hope @SimonDawson can shed some light on this.
I'll updated my post to make it clear this is an option introduced in SAS 9.4M4. Thanks for letting me know. Looks like 9.4 M3 or earlier there isn't anything available.
I initially thought this was an option that might have been introduced in M5 because I got an error setting the SAS option in SAS 9.4 M4 on Linux. Reread the documentation and now I note its a shell environment variable not a SAS option. From what I read it was introduced in SAS 9.4 M0.
Hi Simon,
Thanks. That is certainly what I was looking for. The global nature of this options however can pose a challenge. We would like to restrict this as much as possible. This is large scale a government environment where encryption is serious business and we must move carefully. Maybe grid options sets can come to the rescue.
Many thanks! I can take it from here.
Regards,
- Jan.
Its an environment variable. I'll see if I can make this clearer int he documentation.
Note the example uses export. This isn't a SAS system option, its a shell environment variable that is checked by the software.
Sorry for any confusion caused.
Hi @SimonDawson,
Is it too much to ask for implementation as an option instead, making the implementation conform to the doc instead of the other way around? It would make it easier for us to support as we are keeping 7 grids in the air. If not all (SSL) options show up in a proc options that would make things harder. It's these small things that matter when every effort is multiplied by seven.
Also, my testing shows SSLREQCERT working in 9.4M5 but not in M4. Our grids still run M4. But that would have to be confirmed by independent testing.
Regards,
- Jan.
I would ask for a procedure option, like -k on curl command.
Kind regards
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.