Problem renew certificates SAS Viya 3.4

SaraVillagrasa — Wed, 18 Sep 2019 07:02:58 GMT

Hey!

I have a problem renew the signed-certificate:

I have tried to apply the steps :

https://communities.sas.com/t5/SAS-Communities-Library/How-to-survive-SAS-Viya-self-signed-certificates-expiration/ta-p/583958

But it has not worked.

I have followed the steps:

https://documentation.sas.com/?docsetId=calencryptmotion&docsetTarget=n1xdqv1sezyrahn17erzcunxwix9.htm&docsetVersion=3.4&locale=en#n0u2e2p7l6w275n0zvkyeoiz6dv6

it doesn't work

The cachelocator show:

The files / opt / sas / viya / config / etc / SASSecurityCertificateFramework / cacerts / trustedcerts.pem and trustedcerts.jks have the new certificate.

The steps followed are:

Generamos el fichero req.conf en /etc/pki/tls/certs:

$ cd /etc/pki/tls/certs

$ vi req.conf

[req]

distinguished_name = req_distinguished_name

x509_extensions = v3_req

prompt = no

[req_distinguished_name]

C = US

O = Self-Signed Certificate

CN = innova-lab-sasviya34.innova-tsn.com

[v3_req]

keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = @alt_names

basicConstraints = CA:TRUE

[alt_names]

DNS.1 = innova-lab-sasviya34.innova-tsn.com

DNS.2 = innova-lab-sasviya34

DNS.3 = innova-lab-sasviya34.innova-tsn.com

DNS.4 = innova-lab-sasviya34

DNS.5 = *.innova-lab-sasviya34.innova-tsn.com

DNS.6 = *.innova-lab-sasviya34.innova-tsn.com

DNS.7 = *.innova-lab-sasviya34

DNS.8 = *.innova-lab-sasviya34

DNS.9 = localhost

IP.1 = 127.0.0.1

IP.2 = 0:0:0:0:0:0:0:1

IP.3 = 10.10.14.28

IP.4 = fe80::cadf:de01:f399:e445

Generar el certificado y la clave:

$ openssl req -x509 -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config req.conf -extensions 'v3_req'

Movemos localhost.key a /etc/pki/tls/certs a /etc/pki/tls/private

$ mv /etc/pki/tls/certs/localhost.key /etc/pki/tls/private

Modificamos los permisos a 600 el fichero localhost.key

$ chmod 600 /etc/pki/tls/private/localhost.key

Validamos localhost.crt:

$ openssl x509 -text -noout -in /etc/pki/tls/certs/localhost.crt

Reiniciamos el servicio httpproxy

$ service sas-viya-httpproxy-default restart

El fichero vars.yml no es preciso modificarlo:

$ vi /sas/install/sas_viya_playbook/vars.yml

Lanzamos la distribución y todo sale correcto:

$ cd /sas/install/sas_viya_playbook/

$ ansible-playbook -i inventory.ini ./utility/distribute-httpd-certs.yml

Visualizamos que los ficheros se han modificado:

$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts

El fichero ssl.conf no es necesario modificarlo

$ cd /etc/httpd/ssl.conf

$ vi ssl.conf

Dentro del fichero se encuentra el crt nuevo generado:

$ cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem > /root/salidatrustedcertspem.log

Se corresponde con el generado en /etc/pki/tls/certs/localhost.crt:

$ cat /etc/pki/tls/certs/localhost.crt

Ejecutamos la comprobación:

$ openssl x509 -in /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem -text -noout

Se ha copiado el crt y key a las siguientes rutas (Place the new CA certificates):

$ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/

$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts

$ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/localhost.crt

$ cp /etc/pki/tls/certs/localhost.crt /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/

$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs

$ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tls/certs/localhost.crt

$ cp /etc/pki/tls/private/localhost.key /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/

$ chown sas:sas /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key

$ chmod 600 /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/localhost.key

$ ls -ltr /opt/sas/viya/config/etc/SASSecurityCertificateFramework/private

Respecto a /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks, visualizamos que es correcto:

$ keytool -v -list -keystore /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.jks -storepass changeit -keypass password > /root/salidatrustedcertsjks.log

Reconstruimos los certificados:

$ cd /sas/install/sas_viya_playbook/

$ sudo ansible-playbook -i inventory.ini ./utility/rebuild-trust-stores.yml

Reiniciamos los servicios:

$ service sas-viya-all-services stop

$ service sas-viya-all-services start

$ service sas-viya-all-services status

Why are the services not reading the new certificate?

Thank you very much

Re: Problem renew certificates SAS Viya 3.4

SaraVillagrasa — Wed, 18 Sep 2019 07:06:34 GMT

Sorry

Cachelocator show:

topic Problem renew certificates SAS Viya 3.4 in New SAS User

Problem renew certificates SAS Viya 3.4

Re: Problem renew certificates SAS Viya 3.4