cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

Configuring TLS in the SAS 9.4 M9 Middle-tier at Deployment

Started ‎07-21-2025 by
Modified ‎07-21-2025 by
Views 475

Introduction

There is a new deployment feature in SAS 9.4M9 and the SAS Deployment Wizard that I want to quickly introduce.  It is now possible to deploy SAS with Transport Layer Security, TLS, enabled in the middle-tier.  What was a very detailed, manual process using the steps in the SAS documentation, is now automated in M9. 

 

Note: You may also be aware of the term Secure Sockets Layer or SSL.  TLS is a more modern and secure successor to SSL.

 

My goal here is to provide a brief introduction on using the SAS Deployment Wizard, SDW, to collect the necessary information to perform the TLS deployment of your M9 environment.   This is not designed to be an exhaustive coverage of TLS and computer security.  Some understanding of computer security is expected, or you can perform internet searches to fill any gaps.  Nor is it intended to be a complete discussion of the SAS deployment process.  For more information on the SAS deployment process, please visit the SAS 9.x Install Center.

 

TLS Enabled SAS 9M9 Architecture

Let me first define what parts of the SAS 9 architecture that I am referring to when I say, “the SAS middle-tier”.  The following items can now be TLS enabled at deployment.  

  • SAS Web Server
  • SAS Web Application Server
  • SAS JMS Broker
  • SAS Cache Locator

In the architectural diagram below, you see that I am talking about the internal communication between the servers and services in the SAS middle-tier.  While the SAS Web Server does communicate with an external user via a web browser (see note below), the focus here is on securing communication within the SAS middle-tier.   

Places where TLS can be configured in SAS midtierPlaces where TLS can be configured in SAS midtier

When these components are TLS enabled, all communication between them will be encrypted. 

 

Note: For SAS 9.4 releases prior to M9, you can optionally choose to configure the SAS Web Server at deployment time to use TLS.  Only the connection between the browser and the web server is secured in that process. 

 

Now that the rest of the middle-tier can be deployed with TLS, the process for deploying the Web Server changes slightly.  The Turn On/Off TLS for all Internal Connections prompt window comes before the SAS Web Server Configuration prompt window in the SDW deployment process.  If you have selected to enable TLS for all internal connection, now you must deploy the SAS Web Server with TLS as well.  

 

The screen shots below show both Web Server deployment scenarios based on the previous TLS enablement selection.

 

              tls-sdw.png

A subsequent screen prompts you to select your certificates similar to the new TLS enablement prompting you’ll see shortly.

 

Certificates and Key

Before you begin deploying M9, the information security professionals at your organization will need to provide the SAS installation team with a set of certificates and a private key for each server to use for TLS.  The certificates and keys are what enable secure communication between components in the SAS environment.  The items below are associated with your organization and the servers/hosts where SAS will be deployed.  I’ve provided some additional information on each that you need to be aware of.

 

  • Certificate Authority (CA) signed certificates
    • You need CA certificates in both PEM and PKCS12 formats. 
    • The filename of the file containing the PEM and PKCS12 certificates cannot be trustedcerts or cacerts.
    • The root certificate and all additional intermediate certificates must be included in a single certificate file.
    • The PKCS12 file must use the industry standard of “changeit” for the password.
  • Server certificates and private key
    • You need server certificates in both PEM and PKCS12 formats.
    • The PKCS12 file must use the industry standard of “changeit” for the password.
    • Your private key must be in the PEM format.
    • The private key must not be protected by a passphrase.
    •  The server certificates must have the proper Subject Alternate Names (SAN) for the server.

For more information on using certificates in SAS please review the following documents in the SAS Help Center: 

Using SAS Deployment Wizard to Enable TLS

The SAS Deployment Wizard, or SDW, is the tool used to perform the deployment of your SAS 9 environment.  Depending on the products licensed, you may have two phases to your deployment managed by the SDW. They are,

  1. Installation of SAS to a location referred to as SASHOME.
  2. Configuration of SAS based upon a plan file to a location referred to as SASCONFIG.

The steps can be done individually starting with the installation then the configuration performed in two runs of the SDW, or both steps can be done at the same time. 

 

The enablement of TLS is performed during the configuration phase.  Additionally, for SAS 9.4M9 you will need to use the Custom path through the SDW.  The prompt windows that collect the certificate and key information are not available in the Express or Typical paths.  Here is a view of the Select Configuration Prompting Level screen:

 

tls-config.png

 

After selecting the custom path, you will eventually encounter the screen where you will select to enable TLS.  On the Turn On/Off TLS for all Internal Connections prompt window select Enable from the drop-down list.

 

tls-config2.png

 

Choosing to enable TLS triggers the presentation of the next two prompts to collect the certificates and key mentioned above.  First is the prompt where the locations of the public CA certificates in PKCS12 and PEM format are provided.

 

tls-config3.png

 

Note: The Provide Public Certificate Authority Certificates for Internal Connections prompt will only be provided on the host where the SAS Metadata Server is being deployed.

 

Each server where SAS is deployed will also have a server certificate associated with it, and each server certificate is signed by the CA Certificate provided above.  A private key is also provided here to encrypt communication sent from the server.

 

tls-cert.png

 

As I mentioned earlier, you will usually get the certificates and the key from your IT department.  So, what exactly does SAS do with them?  The CA certificates are stored in these locations.  

  • In SASHome on the host where the SAS Metadata Server is running 
  • In the SAS metadata managed by the metadata server 
  • As other servers are added to your SAS environment, the certificates are downloaded from the metadata server to the SASHome location on that server 
  • To the SAS Trusted CA Bundle on every host 

Only the server’s certificate and key locations are stored in metadata.  The files themselves are not stored in the SAS environment.  Be sure that the files remain available in that location for the duration of the SAS environment. 

 

Conclusion

That’s it.  After that communication in the SAS middle-tier will be secured whether the servers and service are all running on a single host or in a multi-tier environment with components spread across multiple servers.

Version history
Last update:
‎07-21-2025 03:16 PM
Updated by:
Community Manager

hackathon24-white-horiz.png

The 2025 SAS Hackathon has begun!

It's finally time to hack! Remember to visit the SAS Hacker's Hub regularly for news and updates.

Latest Updates

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Labels
Article Tags