topic Re: Changing SAS default TLS version from 1.0 to 1.2 in Administration and Deployment

Changing SAS default TLS version from 1.0 to 1.2

markabell — Fri, 13 Oct 2017 01:23:46 GMT

Hi,

We have recently been getting errors on our SOAP API calls. (was previously OK)

MPRINT(SOAP):   filename soap_in "E:\SASData\input\Admissions\enabling_ugrd_req.xml" RECFM=V LRECL=5000;
MPRINT(SOAP):   filename soap_out "E:\SASData\input\Admissions\enabling_ugrd_data.xml" RECFM=V LRECL=5000;
MPRINT(SOAP):   proc soap in=soap_in out=soap_out url="https://xxx.yyy.zzz/cgi-bin/uon.cfg/services/soap" ENVELOPE ;
MPRINT(SOAP):   run;
ERROR: org.springframework.ws.client.WebServiceIOException: I/O error: Received fatal alert: handshake_failure; nested exception is
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Some digging has revealed that it appears to be due to the external API target no longer supporting TLS 1.0

The SAS server is running SAS 9.4 M0 on Windows 2008 .

We have done Windows patching to ensure that TLS 1.2 is on the windows server, but SAS still defaults to TLS 1.0

I've found what appears to be a likely solution -

The SAS_SSL_MIN_PROTOCOL environment variable enables you to set a minimum TLS protocol that will be negotiated

http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#n1h5naraq9pbc1n1pk74hk1j9l6i.htm

I was going to add the following to one of the config files

-set "SAS_SSL_MIN_PROTOCOL=TLS1.2"

The question that I'm struggling with is "what is the appropriate config file to put this variable in ?"

There are lots of files scattered around - I think that it should be one of the "sasv9_usermods.cfg" files

and my current best idea as to which one is in - D:\SAS\Config\Lev1\SASApp

Is this correct or should I be using one in a different location ?

Thanks,

Mark

Re: Changing SAS default TLS version from 1.0 to 1.2

JuanS_OCS — Fri, 13 Oct 2017 07:04:02 GMT

Hi Mark @markabell,

you are on the exact good track 🙂 Did you already tried it?

BTW, on the sasv9 files, it would be enough with:

-SAS_SSL_MIN_PROTOCOL=TLS1.2

Re: Changing SAS default TLS version from 1.0 to 1.2

markabell — Mon, 16 Oct 2017 00:46:08 GMT

Thanks Juan,

There was a syntax error with the variable as I'd originally defined it, so I changed it to

-set SAS_SSL_MIN_PROTOCOL TLS1.2

Still no joy - I'll try it with your variant

Regards,

Mark

Re: Changing SAS default TLS version from 1.0 to 1.2

JuanS_OCS — Mon, 16 Oct 2017 08:05:05 GMT

Hello @markabell,

sorry to read there is no joy, yet.

There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.

First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.

Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.

This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.

This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the web application servers will work.

-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:

- To make Content Server validation work in Management Console:

SASHOME/SASManagementConsole/9.4/sasmc.ini

- To make the Deployment Backup work from the /SASBackupManager web app:

SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini

- To make the Deployment Backup work from the command line tools:

SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)

- Environment Manager server (also a client in this specific case)

SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf

Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:

Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework. adding the SchUseStrongCrypto registry will take care of this.

https://technet.microsoft.com/en-us/library/security/2960358.aspx

What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.

Kind regards,

Juan

Re: Changing SAS default TLS version from 1.0 to 1.2

markabell — Mon, 16 Oct 2017 23:32:26 GMT

Hi Juan,

Thanks for the detailed response - it looks like we need to get the Java updated

D:\SAS>D:\SAS\Applications\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe -version
java version "1.7.0_15"
Java(TM) SE Runtime Environment (build 1.7.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

I'll see when our Operations team can look at getting the java upgrade done.

Thanks,

Mark

Re: Changing SAS default TLS version from 1.0 to 1.2

JuanS_OCS — Tue, 17 Oct 2017 10:00:18 GMT

I hope it will help there @markabell. It did to me a few months ago.

A quick comment and reminder: SAS 9.4 brings its own Java on the SASPrivateJRE and that is what needs to be updated. Therefore you might need to install all the latest hotfixes... or perhaps it would be even better to just upgrade to at least M3. The latest maintenance available is M5. In your shoes. I would just take this latest option to upgrade your SAS servers to M4 or M5, depending on your company policies.

Re: Changing SAS default TLS version from 1.0 to 1.2

markabell — Wed, 18 Oct 2017 04:08:06 GMT

We have a full set of updates planned for early next year. This is just to get the api loads running again.

The systems have been treated with benign neglect & are more than overdue for a full set of patches and upgrades.

Thanks,

Mark

Re: Changing SAS default TLS version from 1.0 to 1.2

JuanS_OCS — Wed, 18 Oct 2017 14:34:08 GMT

Until you can get your maintenance/versions installed, in the meantime, If you can enable XCMD (commands on the file system) to some jobs, perhaps you or your teams would like to explore cURL or SoapUI

https://es.wikipedia.org/wiki/CURL

https://curl.haxx.se/

https://github.com/curl/curl

With cURL you can make all of those calls, from SAS with an XCMD to a cURL command (external).

For enabling cURL for TLS 1.2:

https://ec.haxx.se/usingcurl-tls.html

https://support.shopgate.com/hc/en-us/articles/115006896288-Upgrade-your-SSL-library-to-support-TLS-1-2

https://superuser.com/questions/606598/specifying-minor-tls-version-when-using-curl

https://serverfault.com/questions/800262/how-to-build-curl-for-tlsv1-2-support

https://github.com/curl/curl/issues/700

SoapUI:

https://community.smartbear.com/t5/SoapUI-Open-Source/How-to-enable-TLS-1-2-in-SoapUI/td-p/96239

https://blogs.perficient.com/ibm/2016/02/19/4-steps-to-enable-tls-protocols-in-soap-ui/

Re: Changing SAS default TLS version from 1.0 to 1.2

markabell — Wed, 25 Oct 2017 03:18:19 GMT

Hi Juan,

We were able to get the Java update done for the SAS provided JRE - see http://support.sas.com/kb/56/203.html.

And I can confirm that the SOAP API calls are now using TLS 1.2 and are working correctly.

Thankyou for your assistance on this.

Regards,

Mark

Re: Changing SAS default TLS version from 1.0 to 1.2

JuanS_OCS — Wed, 25 Oct 2017 11:28:29 GMT

Hi there @markabell,

very glad to know that you could make it to work, finally. And thanks for the feedback/update!

Regards,

Juan

Re: Changing SAS default TLS version from 1.0 to 1.2

megalopsuchos — Thu, 29 Nov 2018 21:16:18 GMT

Juan,

Thank you so much for adding the additional information regarding wrapper.conf editing as I am the someone it helped.

Re: Changing SAS default TLS version from 1.0 to 1.2

JuanS_OCS — Fri, 30 Nov 2018 09:21:58 GMT

Thanks @megalopsuchos and a pleasure

Re: Changing SAS default TLS version from 1.0 to 1.2

Donna_SAS — Fri, 30 Nov 2018 17:11:27 GMT

Note that the latest maintenance for SAS 9.4 is SAS 9.4M6 -- released on Nov 20. This release uses a Java 8-based JRE, and sets TLSv1.2 as the minimum protocol.