Hi,
We have recently been getting errors on our SOAP API calls. (was previously OK)
MPRINT(SOAP): filename soap_in "E:\SASData\input\Admissions\enabling_ugrd_req.xml" RECFM=V LRECL=5000;
MPRINT(SOAP): filename soap_out "E:\SASData\input\Admissions\enabling_ugrd_data.xml" RECFM=V LRECL=5000;
MPRINT(SOAP): proc soap in=soap_in out=soap_out url="https://xxx.yyy.zzz/cgi-bin/uon.cfg/services/soap" ENVELOPE ;
MPRINT(SOAP): run;ERROR: org.springframework.ws.client.WebServiceIOException: I/O error: Received fatal alert: handshake_failure; nested exception is
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Some digging has revealed that it appears to be due to the external API target no longer supporting TLS 1.0
The SAS server is running SAS 9.4 M0 on Windows 2008 .
We have done Windows patching to ensure that TLS 1.2 is on the windows server, but SAS still defaults to TLS 1.0
I've found what appears to be a likely solution -
The SAS_SSL_MIN_PROTOCOL environment variable enables you to set a minimum TLS protocol that will be negotiated
I was going to add the following to one of the config files
-set "SAS_SSL_MIN_PROTOCOL=TLS1.2"
The question that I'm struggling with is "what is the appropriate config file to put this variable in ?"
There are lots of files scattered around - I think that it should be one of the "sasv9_usermods.cfg" files
and my current best idea as to which one is in - D:\SAS\Config\Lev1\SASApp
Is this correct or should I be using one in a different location ?
Thanks,
Mark
Hello @markabell,
sorry to read there is no joy, yet.
There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.
First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.
Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.
This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.
This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the web application servers will work.
-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:
- To make Content Server validation work in Management Console:
SASHOME/SASManagementConsole/9.4/sasmc.ini
- To make the Deployment Backup work from the /SASBackupManager web app:
SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini
- To make the Deployment Backup work from the command line tools:
SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)
- Environment Manager server (also a client in this specific case)
SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf
Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:
Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework. adding the SchUseStrongCrypto registry will take care of this.
https://technet.microsoft.com/en-us/library/security/2960358.aspx
What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.
Kind regards,
Juan
Hi Mark @markabell,
you are on the exact good track 🙂 Did you already tried it?
BTW, on the sasv9 files, it would be enough with:
-SAS_SSL_MIN_PROTOCOL=TLS1.2
Thanks Juan,
There was a syntax error with the variable as I'd originally defined it, so I changed it to
-set SAS_SSL_MIN_PROTOCOL TLS1.2
Still no joy - I'll try it with your variant
Regards,
Mark
Hello @markabell,
sorry to read there is no joy, yet.
There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.
First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.
Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.
This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.
This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the web application servers will work.
-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:
- To make Content Server validation work in Management Console:
SASHOME/SASManagementConsole/9.4/sasmc.ini
- To make the Deployment Backup work from the /SASBackupManager web app:
SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini
- To make the Deployment Backup work from the command line tools:
SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)
- Environment Manager server (also a client in this specific case)
SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf
Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:
Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework. adding the SchUseStrongCrypto registry will take care of this.
https://technet.microsoft.com/en-us/library/security/2960358.aspx
What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.
Kind regards,
Juan
Hi Juan,
Thanks for the detailed response - it looks like we need to get the Java updated
D:\SAS>D:\SAS\Applications\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe -version
java version "1.7.0_15"
Java(TM) SE Runtime Environment (build 1.7.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)
I'll see when our Operations team can look at getting the java upgrade done.
Thanks,
Mark
I hope it will help there @markabell. It did to me a few months ago.
A quick comment and reminder: SAS 9.4 brings its own Java on the SASPrivateJRE and that is what needs to be updated. Therefore you might need to install all the latest hotfixes... or perhaps it would be even better to just upgrade to at least M3. The latest maintenance available is M5. In your shoes. I would just take this latest option to upgrade your SAS servers to M4 or M5, depending on your company policies.
We have a full set of updates planned for early next year. This is just to get the api loads running again.
The systems have been treated with benign neglect & are more than overdue for a full set of patches and upgrades.
Thanks,
Mark
Until you can get your maintenance/versions installed, in the meantime, If you can enable XCMD (commands on the file system) to some jobs, perhaps you or your teams would like to explore cURL or SoapUI
https://es.wikipedia.org/wiki/CURL
With cURL you can make all of those calls, from SAS with an XCMD to a cURL command (external).
For enabling cURL for TLS 1.2:
https://ec.haxx.se/usingcurl-tls.html
https://superuser.com/questions/606598/specifying-minor-tls-version-when-using-curl
https://serverfault.com/questions/800262/how-to-build-curl-for-tlsv1-2-support
https://github.com/curl/curl/issues/700
SoapUI:
https://community.smartbear.com/t5/SoapUI-Open-Source/How-to-enable-TLS-1-2-in-SoapUI/td-p/96239
https://blogs.perficient.com/ibm/2016/02/19/4-steps-to-enable-tls-protocols-in-soap-ui/
Note that the latest maintenance for SAS 9.4 is SAS 9.4M6 -- released on Nov 20. This release uses a Java 8-based JRE, and sets TLSv1.2 as the minimum protocol.
Hi Juan,
We were able to get the Java update done for the SAS provided JRE - see http://support.sas.com/kb/56/203.html.
And I can confirm that the SOAP API calls are now using TLS 1.2 and are working correctly.
Thankyou for your assistance on this.
Regards,
Mark
Hi there @markabell,
very glad to know that you could make it to work, finally. And thanks for the feedback/update!
Regards,
Juan
Juan,
Thank you so much for adding the additional information regarding wrapper.conf editing as I am the someone it helped.
Thanks @megalopsuchos and a pleasure
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.