NETENCRYPTALGORITHM System Option

Specifies the algorithm or algorithms to be used for encrypted client/server data transfers.

Client:	optional
Server:	required
Valid in:	Configuration file, OPTIONS statement, SAS System Options window, SAS invocation, SAS/CONNECT spawner command line
Category:	Communications: Networking and Encryption
PROC OPTIONS GROUP=	Communications
Alias:	NETENCRALG
Operating environment:	UNIX, Windows, z/OS
See:	NETENCRYPT System Option, ENCRYPTFIPS System Option
Examples:	SSL for a SAS/CONNECT Windows Spawner: Example SSL on a z/OS Spawner on a SAS/CONNECT Server: Example SSL for a SAS/CONNECT UNIX Spawner: Example

Syntax

Details

Example

Syntax

NETENCRYPTALGORITHM algorithm | (“algorithm-1”... “algorithm-n”)

Syntax Description

algorithm | (“algorithm–1”... “algorithm-n”)

specifies the algorithm or algorithms that can be used for encrypting data that is transferred between a client and a server across a network. When you specify two or more encryption algorithms, use a space or a comma to separate them, and enclose the algorithms in parentheses.

The following algorithms can be used:

RC2
RC4
DES
TripleDES
SASProprietary
SSL
AES

Restrictions:The SSL option is not applicable to the Integrated Object Model (IOM) metadata, OLAP, and table servers.

When ENCRYPTFIPS is specified, only the SSL or the AES algorithm can be specified. Otherwise, an error message is output.

Details

The NETENCRYPTALGORITHM option must be specified in the server session.

Use this option to specify one or more encryption algorithms that you want to use to protect the data that is transferred across the network. If more than one algorithm is specified, the client session negotiates the first specified algorithm with the server session. If the client session does not support that algorithm, the second algorithm is negotiated, and so on.

If either the client or the server session specifies the NETENCRYPT option (which makes encryption mandatory) but a common encryption algorithm cannot be negotiated, the client cannot connect to the server.

If the NETENCRYPTALGORITHM option is specified in the server session only, then the server's values are used to negotiate the algorithm selection. If the client session supports only one of multiple algorithms that are specified in the server session, the client can connect to the server.

There is an interaction between either NETENCRYPT or NONETENCRYPT and the NETENCRYPTALGORITHM option.

Client/Server Connection Outcomes

Server Settings	Client Settings	Connection Outcome
NONETENCRYPT NETENCRALGalg	No settings	If the client is capable of encryption, the client/server connection will be encrypted. Otherwise, the connection will not be encrypted.
NETENCRYPT NETENCRALGalg	No settings	If the client is capable of encryption, the client/server connection will be encrypted. Otherwise, the client/server connection will fail.
No settings	NONETENCRYPT NETENCRALGalg	A client/server connection will not be encrypted.
No settings	NETENCRYPT NETENCRALGalg	A client/server connection will fail.
NETENCRYPT or NONETENCRYPT NETENCRALGalg–1	NETENCRALGalg-2	Regardless of whether NETENCRYPT or NONETENCRYPT is specified, a client/server connection will fail.

Example

In the following example, the client and the server specify different values for the NETENCRYPTALGORITHM option.

The client specifies two algorithms in the following OPTIONS statement:

options netencryptalgorithm=(rc2 tripledes);

The server specifies three algorithms and requires encryption in the following OPTIONS statement:

options netencrypt netencryptalgorithm=(ssl des tripledes);

The client and the server negotiate an algorithm that they share in common, TripleDES, for encrypting data transfers.