SSL for a SAS/CONNECT Windows Spawner: Example

Start-up of a Windows Spawner on a Single-User SAS/CONNECT Server

After digital certificates for the CA, the server, and the client have been generated and imported into the appropriate Certificate Store, you can start a spawner program that runs on a server that SAS/CONNECT clients connect to.

Here is an example of how to start a Windows spawner on a SAS/CONNECT server:

spawner -install -netencryptalgorithm ssl -sslcertsubj "apex.pc.com" 
-sascmd mysas.bat -servuser userid -servpass password

The following table shows the SAS commands that are used to start a spawner on a SAS/CONNECT single-user server.

SAS Commands and Arguments for Spawner Start-Up Tasks

SAS Command and Arguments	Function
SPAWNER	Starts the spawner
-INSTALL	Causes an instance of a spawner to be installed as a Windows service. For information about the -INSTALL option, see Options for the Windows Spawner in Communications Access Methods for SAS/CONNECT and SAS/SHARE.
-NETENCRYPTALGORITHM SSL	Specifies the SSL encryption algorithm
-SSLCERTSUBJ "apex.pc.com"	Specifies the subject name that is used to search for a certificate from the Microsoft Certificate Store
-SASCMD mysas.bat	Specifies the name of an executable file that starts a SAS session when you sign on without a script file.
-SERVUSER user-ID	Specifies the user-ID to be used to start the spawner and to obtain a digital certificate. The -SERVUSER and the -SERVPASS options are used together and must be specified when the spawner is installed as a service (the -INSTALL option is specified). For information about the -SERVUSER option, see Options for the Windows Spawner in Communications Access Methods for SAS/CONNECT and SAS/SHARE.
-SERVPASS password	Specifies the password to be used to start the spawner and to obtain a digital certificate. The -SERVUSER and the -SERVPASS options are used together and must be specified when the spawner is installed as a service (the -INSTALL option is specified). For information about the -SERVPASS option, see Options for the Windows Spawner in Communications Access Methods for SAS/CONNECT and SAS/SHARE.

In order for the Windows spawner to locate the appropriate server digital certificate in the Microsoft Certificate Store, you must specify the -SSLCERTSUBJ system option in the script that is specified by the -SASCMD option. -SSLCERTSUBJ specifies the subject name of the digital certificate that SSL should use. The subject that is assigned to the -SSLCERTSUBJ option and the computer that is specified in the client signon must be identical.

Note: You can also use the SSLCERTISS= and the SSLCERTSERIAL= options instead of the SSLCERTSUBJ= option to identify a digital certificate.

If the Windows spawner is started as a service, the -SERVPASS and -SERVUSER options must also be specified in the Windows spawner start-up command in order for SSL to locate the appropriate CA digital certificate.

For complete information about starting a Windows spawner, see Communications Access Methods for SAS/CONNECT and SAS/SHARE.

Connection of a SAS/CONNECT Client to a Windows Spawner on a SAS/CONNECT Server

After a spawner has been started on a SAS/CONNECT server, a SAS/CONNECT client can connect to it.

Here is an example of how to make a client connection to a Windows spawner that is running on a SAS/CONNECT server:

options comamid=tcp netencryptalgorithm=ssl;
%let machine=apex.pc.com;
signon machine user=_prompt_;

The computer that is specified in the client signon and the subject (the -SSLCERTSUBJ option) that is specified at the server must be identical.

The following table shows the SAS options that are used to connect to a Windows spawner that runs on a SAS/CONNECT server.

SAS Options, Statements, and Arguments for Client Access to a SAS/CONNECT Server

SAS Options, Statements, and Arguments	Function
COMAMID=TCP	Specifies the TCP/IP access method
NETENCRYPTALGORITHM=SSL	Specifies the encryption algorithm
SIGNON=server-ID	Specifies which server to connect to
USER=_PROMPT_	Prompts for the user ID and password to be used for authenticating the client to the server

The server-ID and the server's Common Name, which was specified in the server's digital certificate, must be identical.