Architecting, installing and maintaining your SAS environment

Changing SAS default TLS version from 1.0 to 1.2

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 5
Accepted Solution

Changing SAS default TLS version from 1.0 to 1.2

Hi,

 

We have recently been getting errors on our SOAP API calls.  (was previously OK) 

MPRINT(SOAP):   filename soap_in "E:\SASData\input\Admissions\enabling_ugrd_req.xml" RECFM=V LRECL=5000;
MPRINT(SOAP):   filename soap_out "E:\SASData\input\Admissions\enabling_ugrd_data.xml" RECFM=V LRECL=5000;
MPRINT(SOAP):   proc soap in=soap_in out=soap_out url="https://xxx.yyy.zzz/cgi-bin/uon.cfg/services/soap" ENVELOPE ;
MPRINT(SOAP):   run;

ERROR: org.springframework.ws.client.WebServiceIOException: I/O error: Received fatal alert: handshake_failure; nested exception is
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Some digging has revealed that it appears to be due to the external API target no longer supporting TLS 1.0

The SAS server is running SAS 9.4 M0 on  Windows 2008 .

 

We have done Windows patching to ensure that TLS 1.2 is on the windows server, but SAS still defaults to TLS 1.0

 

I've found what appears to be a likely solution -

The SAS_SSL_MIN_PROTOCOL environment variable enables you to set a minimum TLS protocol that will be negotiated

 

http://support.sas.com/documentation/cdl/en/secref/69831/HTML/default/viewer.htm#n1h5naraq9pbc1n1pk7...

 

I was going to add the following to one of the config files

-set "SAS_SSL_MIN_PROTOCOL=TLS1.2"

 

The question that I'm struggling with is "what is the appropriate config file to put this variable in ?"

There are lots of files scattered around - I think that it should be one of the "sasv9_usermods.cfg" files

and my current best idea as to which one is in - D:\SAS\Config\Lev1\SASApp

 

Is this correct or should I be using one in a different location ?

 

Thanks,

Mark

 


Accepted Solutions
Solution
‎10-24-2017 11:14 PM
Trusted Advisor
Posts: 1,427

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to markabell

Hello @markabell

 

sorry to read there is no joy, yet.

 

There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.

 

First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.

 

Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.

 

This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.

 

This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the  web application servers will work.

 

-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:

 

- To make Content Server validation work in Management Console:

SASHOME/SASManagementConsole/9.4/sasmc.ini

 

- To make the Deployment Backup work from the /SASBackupManager web app:

SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini

 

- To make the Deployment Backup work from the command line tools:

SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)

 

- Environment Manager server (also a client in this specific case)

SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf

 

 

Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:

 

Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework.  adding the SchUseStrongCrypto registry will take care of this.

 

https://technet.microsoft.com/en-us/library/security/2960358.aspx

 

What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.

 

Kind regards,

Juan

 

View solution in original post


All Replies
Trusted Advisor
Posts: 1,427

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to markabell

Hi Mark @markabell,

 

you are on the exact good track Smiley Happy Did you already tried it?

 

BTW, on the sasv9 files, it would be enough with:

 

-SAS_SSL_MIN_PROTOCOL=TLS1.2

Occasional Contributor
Posts: 5

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to JuanS_OCS

Thanks Juan,

 

There was a syntax error with the variable as I'd originally defined it, so I changed it to

 

-set SAS_SSL_MIN_PROTOCOL TLS1.2

 

Still no joy - I'll try it with your variant

 

Regards,

Mark

Solution
‎10-24-2017 11:14 PM
Trusted Advisor
Posts: 1,427

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to markabell

Hello @markabell

 

sorry to read there is no joy, yet.

 

There is something I did not realise the first time I read your message. You mentioned SAS 9.4 M0 ... perhaps I am dead wrong, but perhaps you will need to ensure your java on version 1.7.0_111 minimum. SAS 9.4 brings its own java (PrivateJRE) which updates only though hotfixes and maintenances.

 

First and foremost, Oracle has added support for TLS1.2 in java 7 in a later version. Therefore you'll first need to ensure that you have the required java version installed. The easiest way is to simply run java.exe -version from the <SASHome>\SASprivatejre\9.4\jre\bin folder. If the version reported is 1.7.0_111 you're good. If not: http://support.sas.com/kb/56/203.html.

 

Java 1.7.0_111 backports the 'Djdk.tls.client.protocols' that was introduced in Java 8.

 

This part corresponds to middle tier configurations, so I don't think it applies to you, but I would like to share this information, in case it may help somewone.

 

This will need to be set on every client component that needs a connection to the middle tier. So, this means that all SASServerX_x instances wrapper.conf files need the -Djdk.tls.client.protocols=TLSv1.2 java option to be set. This should ensure that the  web application servers will work.

 

-Djdk.tls.client.protocols="TLSv1.2" needs to be added to other clients as well:

 

- To make Content Server validation work in Management Console:

SASHOME/SASManagementConsole/9.4/sasmc.ini

 

- To make the Deployment Backup work from the /SASBackupManager web app:

SASHOME/SASPlatformObjectFramework/9.4/SASDeploymentBackup/BackupServer.ini

 

- To make the Deployment Backup work from the command line tools:

SASHOME/SASPlatformObjectFramework/9.4/tools/admin/*.ini (many)

 

- Environment Manager server (also a client in this specific case)

SASCONFIG/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hq-server.conf

 

 

Additionally some tasks in Enterprise Guide also create connections to the middle tier. These fail as well. The problem here is in the .NET framework:

 

Microsoft's .NET framework 4.0 does not officially support TLS 1.2. This is introduced with .NET 4.5 where it is available but not enabled by default. Starting with .NET 4.6 TLS 1.2 is enabled. Enterprise Guide 7.13 is built against 4.6 and should work correctly. The previous 7.x versions do not. This requires changes to the .net framework.  adding the SchUseStrongCrypto registry will take care of this.

 

https://technet.microsoft.com/en-us/library/security/2960358.aspx

 

What I wwould do: if you still need support on this, I would contact SAS Technical Support, because I am not sure about all the impact on Maintenance 0.

 

Kind regards,

Juan

 

Occasional Contributor
Posts: 5

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to JuanS_OCS

Hi Juan,

 

Thanks for the detailed response - it looks like we need to get the Java updated

D:\SAS>D:\SAS\Applications\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe -version
java version "1.7.0_15"
Java(TM) SE Runtime Environment (build 1.7.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

 

I'll see when our Operations team can look at getting the java upgrade done.

 

Thanks,

Mark

 

 

Trusted Advisor
Posts: 1,427

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to markabell

I hope it will help there @markabell. It did to me a few months ago.

 

A quick comment and reminder: SAS 9.4 brings its own Java on the SASPrivateJRE and that is what needs to be updated. Therefore you might need to install all the latest hotfixes... or perhaps it would be even better to just upgrade to at least M3. The latest maintenance available is M5. In your shoes. I would just take this latest option to upgrade your SAS servers to M4 or M5, depending on your company policies.

Occasional Contributor
Posts: 5

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to JuanS_OCS

We have a full set of updates planned for early next year.  This is just to get the api loads running again.

The systems have been treated with benign neglect & are more than overdue for a full set of patches and upgrades.

 

Thanks,

Mark

Trusted Advisor
Posts: 1,427

Re: Changing SAS default TLS version from 1.0 to 1.2

[ Edited ]
Posted in reply to markabell
Occasional Contributor
Posts: 5

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to JuanS_OCS

Hi Juan,

 

We were able to get the Java update done for the SAS provided JRE - see http://support.sas.com/kb/56/203.html.

 

And I can confirm that the SOAP API calls are now using TLS 1.2 and are working correctly.

 

Thankyou for your assistance on this.

 

Regards,

Mark

 

Trusted Advisor
Posts: 1,427

Re: Changing SAS default TLS version from 1.0 to 1.2

Posted in reply to markabell

Hi there @markabell

 

very glad to know that you could make it to work, finally. And thanks for the feedback/update!

 

Regards,

Juan

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 9 replies
  • 377 views
  • 8 likes
  • 2 in conversation