topic SSL Error: Cannot use private key file; please check your password. in Administration and Deployment

SSL Error: Cannot use private key file; please check your password.

lalit_Jalkhare — Tue, 18 Jul 2023 10:07:37 GMT

Hello,

we have Base SAS 9.4 M7 installed on a RHEL server i am trying to encrypt the Connect/Spawner with SSL below is the command i am using to start the SAS Spawner

ETLsasSpawnerCommand="${ETLsasRoot}/utilities/bin/cntspawn -service sasspawn -shell -netencryptalgorithm ssl -sslcalistloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/trustcert.pem -sslcertloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.pem -sslpvtkeyloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.ic.ing.net.key -sslpvtkeypass {SAS004}0568374BFFFB1E18393DBEFABB6A4FA74E67977AA6C4B149"

i tried a private key which is not password protected but then i get error like "ERROR: SSL Error: Cannot use private key file; please check your password."

I passed a password without SAS encoding then also i get error "ERROR: SSL Error: Cannot use private key file; please check your password."

I tried encoding password with {SAS001} then also i get error "ERROR: SSL Error: Cannot use private key file; please check your password."

when we passed password with {SAS005} encoding then it gives below error

SAH201001I Server SAS Connect Spawner, State, starting

SAS Connect Spawner version 9.40 (build date: Feb 1 2021)
Copyright (C) 2011-2013, SAS Institute Inc., Cary, NC, USA. All Rights Reserved
ERROR: The encryption provider libraries cannot be found.
ERROR: Unable to load extension: (tkersa2)
ERROR: SSL Error: Cannot use private key file; please check your password.

i have also defined the path to tkersa2 library in the config file, but didn't helped

can someone please help to solve this issue, we will prefer to not use any password for the private key

Re: SSL Error: Cannot use private key file; please check your password.

doug_sas — Tue, 18 Jul 2023 12:23:35 GMT

It could be that the problem is your private key file, not the password. Make sure your private key file is a PEM file format, i.e., it is human readable and starts with something like "-----BEGIN RSA PRIVATE KEY-----".

You can test to see if the certificate, private key file, and password are correct using openssl command with the s_server subcommand:

openssl s_server -debug -www -cert /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.pem -key /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.ic.ing.net.key -pass pass:<password> -CAfile /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/trustcert.pem

If the password is invalid, you will see
unable to load server certificate private key file
140521628231496:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535:
140521628231496:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
140521628231496:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
140521628231496:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

Re: SSL Error: Cannot use private key file; please check your password.

lalit_Jalkhare — Tue, 18 Jul 2023 19:24:27 GMT

Many Thanks @doug_sas for the reply, indeed the issue was with the private key file, the Spawner was successfully stated with a different file.

But now i want to connect my windows custom client to the Spawner running on the RHEL Server.

we use the scripted method (tcpunix.scr) to sign on to the spawner below code is used to invoke the sign on

%include ".\address.sas";
options netencryptalgorithm=ssl;
options remote=TOOLremo;
filename rlink ".\tcpunix.scr";

- the address file contains the server name and port name

- below is the code of tcpunix.scr file which simply run a ksh script on the server to launch a SAS session on the spawner

______________________________________________________________________________________________________________________

type 'sas -dmr -noterminal netencryptalgorithm=ssl -nosyntaxcheck' LF;
waitfor 'SESSION ESTABLISHED', 90 seconds : nosas;

log 'NOTE: SAS/CONNECT conversation established.';
stop;

unxspawn:
type "ksh /ING/DWH/ETL/common/tools/sas/sasetlmonitor &TOOLShoNam &TOOL_CLIusr" LF;
waitfor 'SESSION ESTABLISHED', 90 seconds : nosas;
stop;

___________________________________________________________________________________________________________

- Below is the code of the KSH script (sasetlmonitor) which is called by the tcpunix.scr file

${ETLsasRoot}/sas -dmr \
-altlog ${altlog} \
-work ${work} \
-config ${config} \
-sslcertloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/cert.pem \
-sslpvtkeyloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/privkey.pem \
-device grlink \
-noterminal \
-nonews \
-no\$syntaxcheck \
-dmsbatch

_______________________________

i have alraedy imported and trusted the certificate on the windows client server, but when i try to login to spawner with client we get below error on rhel logs

Running as user dwhmgr on hostname clrv0000214910.ic.ing.net
ERROR: A communication subsystem environment initialization request failure
ERROR: has occurred.
ERROR: Network request failed (rc 0x00007F971B5324B0) - SSL Error:
ERROR: Certificate was not found.
NOTE: SAS Institute Inc., SAS Campus Drive, Cary, NC USA 27513-2414
NOTE: The SAS System used:
NOTE: real time 0.02 seconds
NOTE: cpu time 0.03 seconds
NOTE:
NOTE: SAH239999I CONNECT, State, stopped

Can you please help me debug the issue, if i am missing somewhere to pass the certificate file

many thanks in advance for your time 🙂

Re: SSL Error: Cannot use private key file; please check your password.

doug_sas — Wed, 19 Jul 2023 11:26:50 GMT

Seems to me that your script is going to run 'sas -dmr -noterminal netencryptalgorithm=ssl -nosyntaxcheck' and not your KSH script. Since there are no SSL options, the connection is going to fail as you found out.

Look at https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.3/connref/p0ze0vzqoyxy34n1sa0rpk8qd5n5.htm for more information about signon scripts.

Re: SSL Error: Cannot use private key file; please check your password.

lalit_Jalkhare — Wed, 19 Jul 2023 12:41:09 GMT

Thanks, we were able to login to SAS Spawner with our client.

i have one silly question, sorry for that how, is there a way to confirm the Connection is Encrypted with SSL because on client server i checked it is showing as SAS is using TCP port 14555, so it means SAS client is connected to Spawner on TCP port 14555 with SSL Encryption ?

- below is the Process which runs on Server when client session is successfully Stablished with Spawner

we have not Defined COMAMID = TCP any where, so is this be default ?

Re: SSL Error: Cannot use private key file; please check your password.

doug_sas — Wed, 19 Jul 2023 12:47:08 GMT

1) The client log should state that it is using SSL for encryption.
2) For UNIX/Linux/Windows TCPIP is always used. For MVS, it may use XMS (shared memory) or TCPIP.