SSL on a z/OS Spawner on a SAS/CONNECT Server: Example

Start-up of a z/OS Spawner on a SAS/CONNECT Server

After digital certificates are generated for the CA, the server, and the client, and a CA trust list for the client is created, you can start a z/OS spawner program that runs on a server that SAS/CONNECT clients connect to.

For example:

//SPAWNER  EXEC PGM=SASTCPD,
//         PARM='-service 4321 =<//DDN:SYSIN'
//STEPLIB  DD   DISP=SHR,DSN=<customer.high.level.pfx>.LIBRARY
//STEPLIB  DD   DISP=SHR,DSN=<customer.high.level.pfx>.LIBE
//SYSPRINT DD   SYSOUT=*
//SYSTERM  DD   SYSOUT=*
//TKMVSJNL DD   SYSOUT=*
//SYSOUT   DD   SYSOUT=*
//SYSIN    DD   *
-netencryptalgorithm ssl 
-sslpkcs12loc /users/server/certificates/server.p12 
-sslpkcs12pass starbuck1
-sslcalistloc /users/server/certificates/sas.pem
-sascmd /users/server/command.sh

The following table explains the SAS commands that are used to start a spawner on a SAS/CONNECT server.

SAS Commands and Arguments for Spawner Start-Up Tasks

SAS Commands and Arguments	Function
SASCPD	Starts the spawner
-SERVICE 4321	Specifies the spawner service that is listening on part 4321
- NETENCRYPTALGORITHM SSL	Specifies the SSL encryption algorithm
-SSLPKCS12LOC /users/server/certificates/serverkey.p12	Specifies the file path for the location of the server's PKCS #12 DER encoding package
-SSLPKCS12PASS password	Specifies the password to access the server's private key in the PKCS #12 package
-SSLCALISTLOC /users/server/certificates/sas.pem	Specifies the CA trust list
-SASCMD /users/server/command.sh	Specifies the name of an executable file that starts a SAS session when you sign on without a script file

In order for the z/OS spawner to locate the appropriate server digital certificate, you must specify the -SSLCERTLOC and -SSLPVTKEYLOC or the -SSLPKCS12LOC and -SSLPKCS12PASS system options in the script that is specified by the -SASCMD option.

Here is an example of an executable file, command.sh:

#!/bin/sh
args=$*
if [ -n "$INHERIT" ] ; then
   args="$args -inherit $INHERIT"
fi
if [ -n "$NETENCRALG" ] ; then
   args="$args -netencralg $NETENCRALG"
fi
if [ -n "$SASDAEMONPORT" ] ; then
   args="$args -sasdaemonport $SASDAEMONPORT"
fi
if [ -n "$SASCLIENTPORT" ] ; then
   args="$args -sasclientport $SASCLIENTPORT"
fi
export TSOOUT=
export SYSPROC=SAS.CLIST
/bin/tso -t %sas -dmr -noterminal 
-sslpkcs12loc /users/server/certificates/serverkey.p12
-sslpkcs12pass password $args

For complete information about starting a z/OS spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a z/OS Spawner

After a z/OS spawner is started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.

The following example shows how to connect a client to a spawner that is running on a SAS/CONNECT server:

options netencryptalgorithm=ssl;
options sslcalistloc="/users/johndoe/certificates/cacerts.pem";
%let machine=apex.server.com;
signon machine.spawner user=_prompt_;

The following table explains the SAS options that are used to connect to a SAS/CONNECT server.

SAS Options and Arguments for Client Access to a SAS/CONNECT Server

SAS Options and Arguments	Client Access Tasks
NETENCRYPTALGORITHM=SSL	Specifies the encryption algorithm
SSLCALISTLOC=cacerts.pem	Specifies the CA trust list
SIGNON=server-ID.service	Specifies the server and service to connect to
USER=_PROMPT_	Prompts for the user ID and password to be used for authenticating the client to the server

The server ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.

For complete information about connecting to a z/OS spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.