Re: Enable HTTPS for SAS Environment Manager

nhvdwalt · Posted 11-16-2017 06:27 AM

Hi team,

I'm trying to enable HTTPS for SAS Environment Manager 9.4M4 with a third-party (Entrust) signed certificate.

I have done the following to no avail....

http://support.sas.com/kb/56/465.html

http://support.sas.com/kb/56/451.html

http://support.sas.com/kb/56/600.html

Followed the post-install steps in the SAS Environment Manager Admin Guide

Created a keystore with the CA root, intermediaries and server certificate.

If I go to the EM console, Chrome complains that it can't validate the site. However, I've also implemented TLS on all the web apps on this same installation and they work 100%, so this is isolated to Environment Manager. Under HTTP I could connect 100% to the console.

Any ideas ?

JuanS_OCS · Posted 11-16-2017 10:05 AM

Hello @nhvdwalt,

have you included the certificates in the Chrome certificate store?

is it working OK for IE or Firefox?

when it does not validate the site, can you still go through by accepting you go to an insecure site?

nhvdwalt · Posted 11-16-2017 10:28 AM

Hi @JuanS_OCS

Yes, I have imported the certs into Chrome. Other https URLs on the same mid tier e.g. VA Hub works 100%.

Haven't tried with other browsers yet.

Yes, I can click through and go to an 'unsecure' site.

I'm just thinking now....The only difference between the EV and the Web Server setup, is that the EV config has a different private key, since it's generates a new private key when you create the keystore. It's the same server and server cert, but different private key.

Could this maybe be the problem ? i.e. mismatch between the private key and the server cert.

If so, is it possible to use the private key from the Web Server config for EV ? Ultimately I want to use the same server cert I used for the Web Server.

Thanks,

JuanS_OCS · Posted 11-17-2017 05:41 AM

Hello @nhvdwalt,

I think you are on the right track. have you already tried it? Do not forget to make copies/backups of modified files. 😉

nhvdwalt · Posted 11-17-2017 05:58 AM

Hi @JuanS_OCS

This morning I obtained a third-party (Entrust) signed certificate for the server and imported all the certs into a new EV keystore, but the problem remains. So that rules out the private key theory..

Btw....I get the same error in Chrome, FireFox and Edge.

If I expand the error in Chrome, it shows the certificate. The issuer of the certificate is listed as my server, so it appears to be the self signed certificate. But I don't understand how since EV is pointing to the new keystore that only contains the new thirdparty certs. It's as if EV is providing the self signed certificate and not the new ones.

Any ideas ?

nhvdwalt · Posted 11-27-2017 01:53 AM

Hi @JuanS_OCS

Just an update on this one....

I have opened a Track with Tech Support and we are still investigating. From the analysis so far, it seems like the error in Chrome is caused by Environment Manager using the self-signed certificate instead of the third party certificate. It's weird because all locations have been updated with the third party certificate, so there should be no trace of the self signed one, but for some reason EV is not using the third party one.

Will keep the forum posted...

EdM · Posted 07-02-2018 08:09 AM

Did anyone find an answer to this issue? I am having the exact same problem with an M5 install. I've gone through all of the KBs listed above as well as the all of the installation documentation that I could find, all to no avail. If someone has an answer, it would be greatly appreciated.

nhvdwalt · Posted 07-02-2018 08:53 AM

Hi @EdM

Unfortunately our project timelines didn't allow us to complete the investigation, so no resolution was found.