Architecting, installing and maintaining your SAS environment

PROC HTTP with insecure SSL certicates

Accepted Solution Solved
Reply
Valued Guide
Posts: 530
Accepted Solution

PROC HTTP with insecure SSL certicates

Hi,

 

We have an internal https web service that is failing basic security tests. It employs a self-signed certificate that, to make things worse, uses the server name "server". The CA is not within our own domain.

 

Still, I need to pull data from that service. The original application used cURL for that and I am in the process of SAS-ifying it. cURL has the option -k that allows it to ignore security warnings about the certificates.

 

From the cURL man page:

 

-k, --insecure

(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.

 

When I use proc HTTP, advertised as the SAS equivalent to cURL, I see no way of straightforwardly ignoring any certificate errors or warnings. And yes, I know I shouldn't. Let's not get there. It's complicated ;-)

 

it looks my only alternative is the import of these insecure certs and adding the ghastly hostname "server" to my DNS resolution scheme. As this will be only temporarily, I am not in favor of that approach.

 

Does proc HTTP have an equivalent to that -k option that I have overlooked? Is there any alternative approach?

 

Cheers Jan.


Accepted Solutions
Solution
‎05-08-2018 10:01 AM
SAS Employee
Posts: 61

Re: PROC HTTP with insecure SSL certicates

[ Edited ]
Posted in reply to jklaverstijn

Suppose I could just answer this for the more common deployments out there. Since you mention the existing use of cURL I imagine this is Linux or some UNIX derivative. So for SAS 9.4 or later on UNIX/Linux you will be able to set the SSLREQCERT= System Option appropriately and it should be all good. Remember to set the option back after you are finished fetching the resource from the server with a self-signed certificate. This option is an invocation option. No TLS connections will be validated by the SAS session if you launch it so be careful with this.

 

For those using SAS 9.4 on Microsoft Windows the TLS communication is handled by using facilities provided in the operating system. Myself I don't know or use of Windows so I'd not be sure about what tunables are available in Windows to control how certificate validation is handled. Perhaps Windows has some way you can add exceptions into the Windows validation process for certain connections/process/users etc. Something to ask your Microsoft Windows admins about.

 

 

For any version of SAS 9.3 or older there is no way I can think to do this.

 

EDIT: warn about the option affecting all TLS communication if its set.

View solution in original post


All Replies
SAS Employee
Posts: 61

Re: PROC HTTP with insecure SSL certicates

Posted in reply to jklaverstijn
The implementation of the SAS HTTP procedure changed alot over the course of the various SAS versions. Which SAS version and maintence release are you using?
Valued Guide
Posts: 530

Re: PROC HTTP with insecure SSL certicates

Posted in reply to SimonDawson
Hi Simon,

This is 9.4M4 on RHEL 7.

Kind regards,
-Jan.
Solution
‎05-08-2018 10:01 AM
SAS Employee
Posts: 61

Re: PROC HTTP with insecure SSL certicates

[ Edited ]
Posted in reply to jklaverstijn

Suppose I could just answer this for the more common deployments out there. Since you mention the existing use of cURL I imagine this is Linux or some UNIX derivative. So for SAS 9.4 or later on UNIX/Linux you will be able to set the SSLREQCERT= System Option appropriately and it should be all good. Remember to set the option back after you are finished fetching the resource from the server with a self-signed certificate. This option is an invocation option. No TLS connections will be validated by the SAS session if you launch it so be careful with this.

 

For those using SAS 9.4 on Microsoft Windows the TLS communication is handled by using facilities provided in the operating system. Myself I don't know or use of Windows so I'd not be sure about what tunables are available in Windows to control how certificate validation is handled. Perhaps Windows has some way you can add exceptions into the Windows validation process for certain connections/process/users etc. Something to ask your Microsoft Windows admins about.

 

 

For any version of SAS 9.3 or older there is no way I can think to do this.

 

EDIT: warn about the option affecting all TLS communication if its set.

SAS Employee
Posts: 296

Re: PROC HTTP with insecure SSL certicates

Posted in reply to SimonDawson

Thanks @SimonDawson

 

Do you know in what version this option was introduced ? I'm not finding it in my 9.4 deployment.

Valued Guide
Posts: 530

Re: PROC HTTP with insecure SSL certicates

Ha yes when I checked this in 9.4M4 it turned out that SSLREQCERT is not yet  available. I hope @SimonDawson can shed some light on this.

SAS Employee
Posts: 61

Re: PROC HTTP with insecure SSL certicates

[ Edited ]

I'll updated my post to make it clear this is an option introduced in SAS 9.4M4. Thanks for letting me know. Looks like 9.4 M3 or earlier there isn't anything available.

 

I initially thought this was an option that might have been introduced in M5 because I got an error setting the SAS option in SAS 9.4 M4 on Linux. Reread the documentation and now I note its a shell environment variable not a SAS option. From what I read it was introduced in SAS 9.4 M0.

Valued Guide
Posts: 530

Re: PROC HTTP with insecure SSL certicates

Posted in reply to SimonDawson

Hi Simon,

 

Thanks. That is certainly what I was looking for. The global nature of this options however can pose a challenge. We would like to restrict this as much as possible. This is large scale a government environment where encryption is serious business and we must move carefully. Maybe grid options sets can come to the rescue. 

 

Many thanks! I can take it from here.

 

Regards,

- Jan.

 

 

SAS Employee
Posts: 61

Re: PROC HTTP with insecure SSL certicates

Posted in reply to jklaverstijn

Its an environment variable. I'll see if I can make this clearer int he documentation.

Note the example uses export. This isn't a SAS system option, its a shell environment variable that is checked by the software.

 

Sorry for any confusion caused.

Valued Guide
Posts: 530

Re: PROC HTTP with insecure SSL certicates

Posted in reply to SimonDawson

Hi @SimonDawson,

 

Is it too much to ask for implementation as an option instead, making the implementation conform to the doc instead of the other way around? It would make it easier for us to support as we are keeping 7 grids in the air. If not all (SSL) options show up in a proc options that would make things harder. It's these small things that matter when every effort is multiplied by seven.

 

Also, my testing shows SSLREQCERT working in 9.4M5 but not in M4. Our grids still run M4. But that would have to be confirmed by independent testing.

 

Regards,

- Jan.

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 9 replies
  • 281 views
  • 3 likes
  • 3 in conversation