topic Re: HTTPS ERROR in Administration and Deployment

HTTPS ERROR

japsas100 — Mon, 13 Mar 2017 17:13:43 GMT

We have installed and configured sas va distributed env on Linux for HTTP. We have made all the change to in sas files to reconfigured it to HTTPS.

We are not able to access the SASVisualAnalyticsHub its throwing below error

This site can’t be reached
sastest01.s.xxxx.xx refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

Re: HTTPS ERROR

JuanS_OCS — Mon, 13 Mar 2017 18:36:58 GMT

Hello @japsas100,

when you receive those errors:

the first best thing to do, is to check the logs of the SAS Web App that generated the error. In this case: SASVisualAnalyticsHub.log (under /Config/Lev1/Web/Logs/SASServer12_1).
When you go to https://yourserver.com (not necessarily with /SASVisualAnalyticsHub), on the URL tab, do you get a red or green Lock image/icon? That will give you hints if your certificate is correct on the SAS Web Server (~Apache)
Do you even manage to get to the Welcome screen of the SAS Web Server?
you can try to validate the SAS Content Server on the SAS Management Console. Do you get any error, such as PKIX? This will tell you that the certificate is not correct on the Java store and/or your SAS Web Server http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9p04l25j9n.htm
Did you included all the certificates (chain) in all your SASPrivateJRE, on the correct order (Root - CA - certificate), in all your SAS nodes? If not, you should. You can easily do it with the SAS Deployment Mnager.

Something else: Did you checked if you have iptables or any firewall blocking the access, from server and client side? You can easily test this with a "telnet yourserver.com 443" assuming that you have set https to port 443.

Re: HTTPS ERROR

japsas100 — Tue, 14 Mar 2017 12:37:34 GMT

Thanks for reply.

I have missed the below step.

Did you included all the certificates (chain) in all your SASPrivateJRE, on the correct order (Root - CA - certificate), in all your SAS nodes? If not, you should. You can easily do it with the SAS Deployment Mnager

Just want to understand how many files genertally we need to import via deployment wizard .

In our case we have 3 files.

1) key file generted by below command

genrsa -out sastest01.s.xxxxxx.xx.key 2048

2) 2 files received from IT dept for site-signed

One is in .pem format and other have plain file like below :

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

I have loaded first file (.pem format ) that we received from IT team after convert into via below command

openssl x509 -in /opt/sas/key/Certificate_Authority.pem -outform PEM -out /opt/sas/key/Certificate_Authority1.pem

and another loaded intermediated file receieved from IT team as defined above.

But when I going to load .key file (private key) its throwing error like

Singed overrun: bytes 920

verify the file contain certificates in proper encoding.

Could you please advise weather I am going into right direction and how we can fix above error.

Re: HTTPS ERROR

JuanS_OCS — Tue, 14 Mar 2017 12:49:42 GMT

Hi @japsas100,

you will need to know first the certificate chain/path of your certificate. THis certificate was probably issues by a CA (Certificate Authority) and this CA has probably a Root CA... and so on. You will need to have the certificate of each of them, on PEM (Base 64 encoding/plain format) format.

Once you get them, you will need to import them into your cacerts (if you are on SAS 9.4 M2 or lower) or into the jscerts (if you are on SAS 9.4 M3 or higher), on the right order. Root certificate, dependant CAs and the last one, your certificate of this machine.

Re: HTTPS ERROR

japsas100 — Tue, 14 Mar 2017 13:44:33 GMT

Thanks....

We have received only one root certificate file from IT team thats is in .pem format and other one like below :

-----BEGIN CERTIFICATE-----

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

All above file I have imported via sas depmoment wizard.

You mentioned "last one, your certificate of this machine." Could you please confirm file name called or where we get this file?

Pl explian in details as I am very new to this kind of work.

Re: HTTPS ERROR

JuanS_OCS — Tue, 14 Mar 2017 14:36:12 GMT

I Initially expect the good certificate would be this version

-----BEGIN CERTIFICATE-----

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

Let's go step by step. First step:

So, you imported the certficate with the SAS deployment manager, and I assume you also put the certificate on the SAS Web Server.

If you start the SAS Web Server only, and you try to go the https://yourserver.com URL with IE, or Chrome, you will get a red or green lock, right? If you right click or click on this lock, you will get information of your certificate and it will tell you if all certificates are OK or any of them are not OK or is missing.

Please let us know the results of this exercise.

Re: HTTPS ERROR

japsas100 — Tue, 14 Mar 2017 16:09:50 GMT

Thanks ....

I have received two files from IT dep both have same format as per your last email.

one file has below format

-----BEGIN CERTIFICATE-----

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

and other file have same format at the bottom of the file and addtional details like

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: xxxxxxxxxxxxxxxxxxxxxxx
Issuer: C=xx, O=xxxxxx, CN=xxxxx Certificate Authority
Validity
Not Before: Oct 1 00:00:00 2015 GMT
Not After : Oct 1 00:00:00 2035 GMT
Subject: C=xx, O=xxxxx, CN=xxxxx Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption

...

Signature Algorithm: xxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

Please advise which file I need to pick in first step and how I can put the certificate on the SAS Web Server?

Re: HTTPS ERROR

japsas100 — Tue, 14 Mar 2017 21:16:03 GMT

Hi ,

When I validate the certificate its throwing below error:

[sas@sastest01 bin]$ /opt/sas/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Re: HTTPS ERROR

japsas100 — Wed, 15 Mar 2017 11:53:52 GMT

We have installed and deployed sas va7.3 on distributed env with http security.

Now we have converted into https as per sas process but still we are able to open sas portal. Its throwing below error:

URL https://sastest01.xxxx.xx/SASVisualAnalyticsHub

This site can’t be reached
sastest01.xxxxxx.xxx refused to connect.

When we trying to open link without SASVisualAnalyticsHub, its showing the welcome page in blue color

https://sastest01.xxxx.xx/

also see that This page is secure (valid HTTPS). in green color.

Please advise.

Re: HTTPS ERROR

mikev — Wed, 15 Mar 2017 13:38:32 GMT

Hey @japsas100,

Did you follow steps 7 and 8 of http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9p04l25j9n.htm and restart the webtier afterwards? Otherwise the communication between the webserver and webapp server will be broken, which your errors suggests is now the case. (The proxy will work, the reverse proxy won't)

You might find some more info about the error in the webserver log or in the catalina.out file from the SASServer that runs your VA.

Furthermore, if this is a fresh installation, I would suggest starting over and enabling https during the configuration (make sure to load your root and intermediate certificates in the keystore between installation and configuration when you have your own CA). You might have issues applying hotfixes otherwise (you might need to revert to http before the hotfixes, or change the loadcontent scripts to connect to https).

About your error with the jks file. The default password for the keystores is 'changeit'. Did you try that password?

grtz,

-- Mike

Re: HTTPS ERROR

japsas100 — Wed, 15 Mar 2017 14:48:29 GMT

Thanks for email.

Finally I am able to login to https://sastest01.xxxxx.xx/SASLogon/login. its asking the userid and password then it showing below screen: -

You have signed in.

For increased security, sign out and close your web browser when you finish accessing services that require authentication.

But when I use below login with https://sastest01.xxxxx.xx/SASVisualAnalyticsHub/index.jsp .....its again throwing below error:

his site can’t be reached

sastest01.xxxx.xx refused to connect.

I have made all the changes as per below document.

http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9p04l25j9n.htm

Please advise?

Re: HTTPS ERROR

japsas100 — Wed, 15 Mar 2017 18:57:08 GMT

Any suggestion on my last query!!!

Re: HTTPS ERROR

JuanS_OCS — Thu, 16 Mar 2017 10:19:28 GMT

Hello @japsas100,

you should have no problems if you followed the indications provided by @mikev and previously provided also by myself.

Let's check something, really simple: are you able to connect to http://sastest01.xxxxx.xx:8080 , http://sastest01.xxxxx.xx:8180 and http://sastest01.xxxxx.xx:9180? This should test if your ports to SASServer1_1, 2_1 and 12_1 are blocked or not. They shouldn't.

Also, could you please check the logs of WebServer/logs/errors WebAppServer12_1/logs/server.log ?

PS: Did you open a parallel track with SAS Technical Support? Since it seems you are a bit under the stress of a deadline, and you are not getting many responses here, you would like to cover all your bases, while we can still try to help you.

Re: HTTPS ERROR

japsas100 — Thu, 16 Mar 2017 12:33:34 GMT

Thanks JuanS_OCS
Yes I can open http://sastest01.s.xxxx.xx:8080/ with any issue. But I cant see any any servers SASServer12_1 .....

I alredy spent so much time on this issue. I am going to reinstall the sas again.

This time i will configure the HTTPS during the sas installation . I have one question regarding regarding the certification....

Could you please guide on which certificate we can use during installation of SAS Web Server:.

During installation SAS asking two files for HTTPS
1) X509 Certificate
2) RSA private key

Just want to update you we have received two certificates (site certificate) from IT team

1) Root certificate
2) server certificate

Both these certificates have same format like

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Can you please explain where we are going to use these two certificates during and post installation step.

Re: HTTPS ERROR

JuanS_OCS — Thu, 16 Mar 2017 13:23:14 GMT

Hello @japsas100,

yeah, I see the unnecessary extra time here. Good idea to re-install, because you can do the direct configuration of SSL on a single step.

Those 2 certificates look good as what SAS will expect. You can start by using the server certificate.

Just some heads-up: During the configuration of the Web Infrastructure Services on the middle tier, it "might" give you an error. If you open the link of the log with the error, you will quickly see it is a PKIX error. The solution is on the followign procedure:

While you keep open the SAS Deployment Wizard with the error, you can open the SAS Deployment Manager, then you import the Root certificate, then the server certificate (just to be sure). This will add the certificates and chain to the SASPrivateJRE certificate store (jre/lib/secure/jscerts).

Create a new certificate (as my_certificate_chain.cer) by appending your Root certificate to your server certificate (copy and paste) http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#p0gy97oedcx0fin1n83srxchqpzk.htm (Step 5. Create a Certificate Chain in PEM Format Using OpenSSL)

(Your Server Certificate - ssl.crt)

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----



(Your Intermediate CA Certificate(s)) 

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----



(Your Root CA Certificate)

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----

Check the httd-ssl.conf of your Web Server, to ensure the httpd service will run with the right certificate and chain (sss certificate chain, you can include the new my_certificate_chain.cer we created)

Stop manually the SAS Web Server and the SAS Web Application Servers (1_1, 2_1, 12_1)

Start the SAS Web Server and ensure https://yoursite.com works and answers with a green lock

Start the SAS Web Application Servers (1_1, 2_1, 12_1)

On the SAS Deployment Wizard that is on-hold, click on retry.

Re: HTTPS ERROR

japsas100 — Thu, 16 Mar 2017 14:01:08 GMT

Thanks you soo much JanS_OCS
Just want to check where we want to add my_certificate_chain.cer file and if we want to add this file under /opt/sas/config/Lev1/Web/WebServer/conf/extra/httpd-ssl.conf then can share the where exactly want to add and with syntax.

Can you please share full command to stop SAS Web Server and the SAS Web Application Servers.

During installation we have to defined the sas webapp server like SASServer1_1 SASServer1_2etc....How much we have to defined there server?.
By default it will create three set of sas web server? last time when I was not defined it created only one SASServer1_1

Re: HTTPS ERROR

JuanS_OCS — Thu, 16 Mar 2017 14:21:32 GMT

You are so welcome 🙂

you can store that certificate chain into the Web/WebServer/ssl directory, together with the server certificate and its private key.

For starting and stoping the servers, you can execute the Lev1/Web/WebServer/bin/httpdctl {stop|start|status} and for the complete middle tier, you can use the Lev1/sas.servers {start|stop|status} script.

You can deploy your SAS Web Applications on a single Web Application Server SASServer1_1, but I personally deploy them on multiple server, to simply my administrations tasks, they become more manageable. During the deployment of your middle tier, the SDW will ask you if you want to deploy them on multiple machines. http://support.sas.com/documentation/cdl/en/biig/69172/HTML/default/viewer.htm#n05020intelplatform00install.htm (see: Web Application Server: Multiple Servers)

Re: HTTPS ERROR

japsas100 — Thu, 16 Mar 2017 14:38:15 GMT

Thanks Again!!!

Last question where we can use rsa private key file during installation.

Re: HTTPS ERROR

JuanS_OCS — Thu, 16 Mar 2017 14:54:19 GMT

No problem!

On the same link on my previous comment, you can read some lines above:

SAS Web Server: Location of X509 Certificate and RSA Private Key
If you already have an X.509 certificate, enter their locations. When you are finished, click Next.
In X509 Certificate, enter the path to the valid X.509 certificate with the DNS name of this machine as the Common Name (CN).
In RSA private key, enter the path to the RSA private key that is not protected by a passphrase.
For more information, see SAS Intelligence Platform: Middle-Tier Administration Guide.

Re: HTTPS ERROR

japsas100 — Thu, 16 Mar 2017 15:34:18 GMT

Thanks .....

Please confrim whether I am going into right direction

Create below files using notepad and moved to WebServer/ssl director.

sastest.abc.com.crt -----merged file of server and root certificate in same order

sastest.abc.com.key -----private key file.

Just want to understand , do we need to give any link /refrence of these files any where bcz these are not the sas standead names or script will pick automatically from this dir.