SAS ships OpenSSL libraries on UNIX. However, these are
not FIPS 140-2 compliant libraries. You must compile a FIPS 140-2
compliant version of OpenSSL and install it. If you plan to build
FIPS 140-2 capable OpenSSL for UNIX, access the OpenSSL utility at
OpenSSL source. Then follow the instructions
in the following documents for downloading and building FIPS 140-2
compliant OpenSSL:
Note: Different operating systems
require the use of different library file extensions. For example,
HPUX, Linux, and Solaris use libcrypto.so.1.0.0 and libssl.so.1.0.0.
AIX uses libcrypto.so and libssl.so. Refer to your operating system
vendor documentation when using the vendor’s OpenSSL libraries.
There might be additional procedures that need to be followed to make
the libraries work properly in your environment.
If you are using your
own FIPS 140-2 compliant OpenSSL libraries, your system administrator
needs to set the environment path variables to pick up this software.
Go to the
SASHome/SASFoundation/9.4/bin directory.
This directory contains the sasenv script that sets the environment
variables that are required by SAS. When you customize environment
variable values, modify the sasenv_local file. Set the location of
the FIPS 140-2 compliant libraries in the sasenv_local file. Depending
on your operating system, set the LD_LIBRARY_PATH and the SHLIB_PATH
to be the same, and set LIBPATH on AIX.
For example, you might
add the following code to the sasenv_local file.
export LD_LIBRARY_PATH=<FIPS library path>:$LD_LIBRARY_PATH
For more information, see Contents of the !SASROOT Directory in SAS Companion for UNIX Environments.Note: Prepend the customized library
path in the script that is run before invoking SAS.
To configure a FIPS
140-2 compliant system, specify SAS system options ENCRYPTFIPS and
NETENCRALG= (set to AES or SSL). When ENCRYPTFIPS is specified, an
INFO message is written at server start-up to indicate that FIPS encryption
is enabled.
Refer
to ENCRYPTFIPS System Option for
details.