BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
markabell
Fluorite | Level 6

Hi,

 

We have recently been getting errors on our SOAP API calls.  (was previously OK) 

MPRINT(SOAP):   filename soap_in "E:\SASData\input\Admissions\enabling_ugrd_req.xml" RECFM=V LRECL=5000;
MPRINT(SOAP):   filename soap_out "E:\SASData\input\Admissions\enabling_ugrd_data.xml" RECFM=V LRECL=5000;
MPRINT(SOAP):   proc soap in=soap_in out=soap_out url="https://xxx.yyy.zzz/cgi-bin/uon.cfg/services/soap" ENVELOPE ;
MPRINT(SOAP):   run;

ERROR: org.springframework.ws.client.WebServiceIOException: I/O error: Received fatal alert: handshake_failure; nested exception is
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Some digging has revealed that it appears to be due to the external API target no longer supporting TLS 1.0

The SAS server is running SAS 9.4 M0 on  Windows 2008 .

 

We have done Windows patching to ensure that TLS 1.2 is on the windows server, but SAS still defaults to TLS 1.0

 

I've found what appears to be a likely solution -

The SAS_SSL_MIN_PROTOCOL environment variable enables you to set a minimum TLS protocol that will be negotiated

 

http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#n1h5naraq9pbc1n1pk7...

 

I was going to add the following to one of the config files

-set "SAS_SSL_MIN_PROTOCOL=TLS1.2"

 

The question that I'm struggling with is "what is the appropriate config file to put this variable in ?"

There are lots of files scattered around - I think that it should be one of the "sasv9_usermods.cfg" files

and my current best idea as to which one is in - D:\SAS\Config\Lev1\SASApp

 

Is this correct or should I be using one in a different location ?

 

Thanks,

Mark

 

1 ACCEPTED SOLUTION

Accepted Solutions
JuanS_OCS
Amethyst | Level 16

Hello @markabell

 

sorry to read there is no joy, yet.

 

There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.

 

First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.

 

Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.

 

This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.

 

This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the  web application servers will work.

 

-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:

 

- To make Content Server validation work in Management Console:

SASHOME/SASManagementConsole/9.4/sasmc.ini

 

- To make the Deployment Backup work from the /SASBackupManager web app:

SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini

 

- To make the Deployment Backup work from the command line tools:

SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)

 

- Environment Manager server (also a client in this specific case)

SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf

 

 

Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:

 

Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework.  adding the SchUseStrongCrypto registry will take care of this.

 

https://technet.microsoft.com/en-us/library/security/2960358.aspx

 

What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.

 

Kind regards,

Juan

 

View solution in original post

12 REPLIES 12
JuanS_OCS
Amethyst | Level 16

Hi Mark @markabell,

 

you are on the exact good track 🙂 Did you already tried it?

 

BTW, on the sasv9 files, it would be enough with:

 

-SAS_SSL_MIN_PROTOCOL=TLS1.2

markabell
Fluorite | Level 6

Thanks Juan,

 

There was a syntax error with the variable as I'd originally defined it, so I changed it to

 

-set SAS_SSL_MIN_PROTOCOL TLS1.2

 

Still no joy - I'll try it with your variant

 

Regards,

Mark

JuanS_OCS
Amethyst | Level 16

Hello @markabell

 

sorry to read there is no joy, yet.

 

There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.

 

First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.

 

Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.

 

This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.

 

This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the  web application servers will work.

 

-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:

 

- To make Content Server validation work in Management Console:

SASHOME/SASManagementConsole/9.4/sasmc.ini

 

- To make the Deployment Backup work from the /SASBackupManager web app:

SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini

 

- To make the Deployment Backup work from the command line tools:

SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)

 

- Environment Manager server (also a client in this specific case)

SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf

 

 

Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:

 

Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework.  adding the SchUseStrongCrypto registry will take care of this.

 

https://technet.microsoft.com/en-us/library/security/2960358.aspx

 

What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.

 

Kind regards,

Juan

 

markabell
Fluorite | Level 6

Hi Juan,

 

Thanks for the detailed response - it looks like we need to get the Java updated

D:\SAS>D:\SAS\Applications\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe -version
java version "1.7.0_15"
Java(TM) SE Runtime Environment (build 1.7.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

 

I'll see when our Operations team can look at getting the java upgrade done.

 

Thanks,

Mark

 

 

JuanS_OCS
Amethyst | Level 16

I hope it will help there @markabell. It did to me a few months ago.

 

A quick comment and reminder: SAS 9.4 brings its own Java on the SASPrivateJRE and that is what needs to be updated. Therefore you might need to install all the latest hotfixes... or perhaps it would be even better to just upgrade to at least M3. The latest maintenance available is M5. In your shoes. I would just take this latest option to upgrade your SAS servers to M4 or M5, depending on your company policies.

markabell
Fluorite | Level 6

We have a full set of updates planned for early next year.  This is just to get the api loads running again.

The systems have been treated with benign neglect & are more than overdue for a full set of patches and upgrades.

 

Thanks,

Mark

Donna_SAS
SAS Employee

Note that the latest maintenance for SAS 9.4 is SAS 9.4M6 -- released on Nov 20.  This release uses a Java 8-based JRE, and sets TLSv1.2 as the minimum protocol.

markabell
Fluorite | Level 6

Hi Juan,

 

We were able to get the Java update done for the SAS provided JRE - see http://support.sas.com/kb/56/203.html.

 

And I can confirm that the SOAP API calls are now using TLS 1.2 and are working correctly.

 

Thankyou for your assistance on this.

 

Regards,

Mark

 

JuanS_OCS
Amethyst | Level 16

Hi there @markabell

 

very glad to know that you could make it to work, finally. And thanks for the feedback/update!

 

Regards,

Juan

megalopsuchos
Fluorite | Level 6

Juan,

Thank you so much for adding the additional information regarding wrapper.conf editing as I am the someone it helped.

JuanS_OCS
Amethyst | Level 16

Thanks @megalopsuchos and a pleasure

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 12 replies
  • 12439 views
  • 11 likes
  • 4 in conversation