topic Re: How to configure SAS Web server for HTTPS in Administration and Deployment

How to configure SAS Web server for HTTPS

Madhan_cog1 — Mon, 21 Sep 2020 11:26:58 GMT

Hi All,

We have installed and configured SAS 9.4M5 Grid version(Multi tier architecture).

Could you please suggest how to configure HTTPS for Web server.

We are able to access the Mid tier components only through HTTP now.

Please suggest how to configure for HTTPS.

Thanks,

Madhan M.

Re: How to configure SAS Web server for HTTPS

JuanS_OCS — Mon, 21 Sep 2020 11:31:27 GMT

Hello @Madhan_cog1 ,

Mainly you will need to follow this document (and links in it), to switch the SAS Web server to HTTPS

https://documentation.sas.com/?docsetId=bimtag&docsetTarget=n0nakjyj6hlqmvn11p9p04l25j9n.htm&docsetVersion=9.4&locale=en

Do you need to change the SAS Web Application Server(s) to HTTPS? In that case you would need to follow these steps as well:

https://documentation.sas.com/?docsetId=bimtag&docsetTarget=n1enfdk7f1fjcqn1ggbrx79lm9i0.htm&docsetVersion=9.4&locale=en

Normally with the first document is enough, given that is the only requirement from your Security Office.

Best regards.

Juan

Re: How to configure SAS Web server for HTTPS

AnandVyas — Tue, 22 Sep 2020 05:58:39 GMT

Hi @Madhan_cog1

Please follow the steps shared by @JuanS_OCS . Also I would advise in the future it's good to enable HTTPs during configuration phase itself as you can avoid a lot of manual changes and errors caused due to it. Depending upon the web applications deployed at your site it will only add to the complexity.

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Tue, 22 Sep 2020 11:50:10 GMT

Hi Juan/Anand,

Thanks for your response.

As suggested we are trying to enable HTTPS during configuration phase in a different level(Lev1)..

We are facing some issues while configuring HTTPS in web server.

SAS Deployment Wizard was prompting for the path for X509 certificate and RSA private key.

We used the below link to get the path for X509 and RSA private key but we are still facing issues.

https://documentation.sas.com/?docsetId=secref&docsetTarget=p0gy97oedcx0fin1n83srxchqpzk.htm&docsetVersion=9.4&locale=en

Am attaching some screenshot in the document for reference.

Could you please suggest how to get the path for X509 and RSA Private key.

A sample snippet from the error:

2020-09-22 13:07:10,155 [main] ERROR com.sas.sdw.SDWExceptionHandler - java.io.IOException: Source '/etc/pki/tls/certs' exists but is a directory

Thanks,

Madhan M.

Re: How to configure SAS Web server for HTTPS

AnandVyas — Tue, 22 Sep 2020 14:17:18 GMT

I saw the snap in the attached document. You will have to provide full path along with the ssl certificate file name in the first box and full path along with the key file name in the second box.

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Tue, 22 Sep 2020 14:30:33 GMT

Hi Anand,

Yes understood but we would like to know how to get the path for RSA Key file . Should we generate RSA Key using SSL and use it .

Thanks,

Madhan M.

Re: How to configure SAS Web server for HTTPS

AnandVyas — Tue, 22 Sep 2020 14:34:59 GMT

Usually the process is first you generate a key using which CSR is generated. CSR is then shared to certificate signing authority CA which generates the cert chain: root - intermediate - host cert and shares it back.

In the SDM you need to provide the CA signed cert and key generated in first step. If your web server and web app server are on different hosts or use alias mention them in CSR under SAN field in order to avoid any errors due to host or alias mismatch.

Re: How to configure SAS Web server for HTTPS

JuanS_OCS — Wed, 30 Sep 2020 11:33:16 GMT

Hello @Madhan_cog1 ,

is your issue still open? I see that it is running for actually quite a while.

Just in case it is still open, I will keep it real simple:

- I advise your organization security/certificate experts to generate the certificate for you, for an Apache server.

- Just in case you still need to do it, a FAQ that should resolve all your questions. When in doubt, google the errors: https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

- In any case, what has to be known is:

a) SAS needs all the certificates in the path, in PEM base64 format, and the private key, in same format, and created for the alias you will use in the SDW deployment of your SAS web server.

b) you will need to provide it in the SDM and/or SDW: all the servers needs to have it, and every client with a Java SAS client (eg SAS Management Console) will need to import it with SDM.

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Wed, 30 Sep 2020 11:44:37 GMT

Hi Juan,

Thanks for the response.

We have requested the organization to generate certificates for us. I hope that should solve our problem.

Thanks,

Madhan M

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Mon, 05 Oct 2020 11:02:51 GMT

Hi Juan,

We have received the signed certificate (.pem certificate) from our organization.

We tried to bundle it using SAS Deployment Manager but we are getting error like below:

Failed to validate the certificate path.

Path does not chain with any of the trusted anchors.

Kindly suggest.

Thanks,

Madhan M.

Re: How to configure SAS Web server for HTTPS

JuanS_OCS — Mon, 05 Oct 2020 11:11:17 GMT

Hello @Madhan_cog1 ,

check the contents of the certificate. Probably this certificate it is just the server certificate (last one in the path).

You will need either the depending certificates (Root CA, Intermediate CA) in the same certificate, or separate. If they are together, you only need to point to that new certificate and import it with SDM. If they are separate, import them in order: first the Root CA, then the Intermediate CAs, then the server certificate as last one. The order is defined in the server certificate.

I personally like to work with separate certificates, but it is not needed, you can work with a chain certificate.

You are almost there, good luck!

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Tue, 13 Oct 2020 14:26:06 GMT

Hi Juan,

Thanks for the response.

Could you please suggest how to add the Root CA and Intermediate CA certificate to the server certificate.

where we can find this Root CA and Intermediate CA certificate..

Thanks,

Madhan M.

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Tue, 13 Oct 2020 14:34:28 GMT

Hi Juan,

Attaching the server.pem file for your reference. Please let us know whether it includes Root CA and Intermediate CA certificate.

Thanks for your help.

Regards,

Madhan M

Re: How to configure SAS Web server for HTTPS

JuanS_OCS — Tue, 13 Oct 2020 14:53:32 GMT

Hi @Madhan_cog1 ,

I would say the certificate looks good. I believe your certificates are complete and you should be ready to continue your deployment.

See how SAS documentation explains: https://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.5&docsetId=secref&docsetTarget=p1jf3or94q48y9n1om73rtgo0bct.htm&locale=en

I would expect the certificate in the following format, but yours is probably OK too:

https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html

You will need a Private key as well (please do not post it here)

-----BEGIN RSA PRIVATE KEY-----
Base64–encoded private key
-----END RSA PRIVATE KEY-----

As side note, if you are interested in transforming the certificate into a certificate chain, you could:

1- rename extension to .cer

2- extract individual certificates ( Novo ... Root CA, Novo ... Issuing CA, scedevweb)

You can do this by opening your .cer, then click details tab and "Copy to File" button. For the other certificates, go to Certification path tab, click View Certificate and repear the Copy to file step)

3- You can build it by copy/paste contents of each into a .pem file in the following order: https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: scedevweb.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Novo_Issuing_CA.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: Novo_Root_CA.pem)
-----END CERTIFICATE-----

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Wed, 14 Oct 2020 06:47:23 GMT

Hi Juan,

Thanks for the response.

When we try to bundle the .pem certificate using SASDM it fails with the below error.

Failed to validate the certificate path.

path does not chain any of the trust anchors.

Attached the screenshot.

Please let us know if this .pem certificate includes Root CA and intermediate CA or where we can find this certificates.

Thanks,

Madhan M

Re: How to configure SAS Web server for HTTPS

JuanS_OCS — Wed, 14 Oct 2020 07:54:00 GMT

Hi @Madhan_cog1 ,

yo need to split the certificates as I instructed. Then you need to import the certificates in order, as described in your certificate path: first the CA, then the intermediate, and the last one your server certificate.

Re: How to configure SAS Web server for HTTPS

Madhan_cog1 — Wed, 14 Oct 2020 14:51:12 GMT

Hi Juan,

Thanks for the response.

As per the instructions we have created the certificate chain in the below format.

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: scedevweb.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Novo_Issuing_CA.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: Novo_Root_CA.pem)
-----END CERTIFICATE-----

We also have a private key in a separate file scedevweb1.key.

we were able to bundle the certificate successfully.

But when we try to configure we are getting the below error:

"ERROR com.sas.sdw.SDWExceptionHandler - java.lang.Exception: Failed to create PKCS12 certificate"

Attaching the log for reference.

Then we tried to include the RSA Private key in the same .pem file and bundle it but we are facing the below issue.

"The following error occured loading certificate file:signed overrun bytes =918.

Could you please assist.

Thanks,

Madhan M.

Re: How to configure SAS Web server for HTTPS

AnandVyas — Thu, 15 Oct 2020 04:43:08 GMT

In the attached logs, I can see below error. Looks like the certificate isn't in correct order or the key used to generate csr was different.

"[exec] No certificate matches private key"

You can check if an SSL certificate matches a Private Key by using the 3 easy commands below:

For your SSL certificate: openssl x509 –noout –modulus –in <file>.crt | openssl md5

For your RSA private key: openssl rsa –noout –modulus –in <file>.key | openssl md5

For your CSR: openssl req -noout -modulus -in <file>.csr | openssl md5

You just need to replace <file> with your file’s name. If all the three match, the SSL certificate matches the Private Key.

Ref link

Re: How to configure SAS Web server for HTTPS

AnandVyas — Thu, 15 Oct 2020 15:04:01 GMT

Also, the certificate chain should be root, followed by intermediate and then the host. I think you have done it in reverse order.