BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
japsas100
Pyrite | Level 9

 We have installed  and configured sas va distributed env on Linux for HTTP.  We have made all the change to in sas files to reconfigured it to HTTPS.

 

We are not able to access the SASVisualAnalyticsHub its throwing below error

 

 

This site can’t be reached
sastest01.s.xxxx.xx refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED 
1 ACCEPTED SOLUTION

Accepted Solutions
JuanS_OCS
Amethyst | Level 16

Let's see. Step by step.

 

Objectives to achieve here:

  1. Ensure the certificates are installed on every windows client and you can validate them.
  2. Execute the SDW and provide the (independent) server certificate and the private key as per instructions
  3. In case the deployment gives errors"
    1. Ensure configuration of the SAS Web Server (Apache) certificates (independent server cert, ind. priv key, and cert chain) and validate it. This is not really SAS-related. Any Web system admin at your company should be able to help you.
    2. Ensure the import of the certificates on the SASPrivateJRE by importing the independent certs
    3. Resume SDW by "Try Again"

Step 1: Windows - install and validate the server certificate

  • Install the server certificate on windows (server and local stores)
  • Open the certificate and see the path. You will need to have available (crt files) and installed on windows the previous certificates on its path
  • I expect that is the one you already received, although you might be missing some.

 

Step 2: SDW - provide certificates

  • Provide the standalone (not the chain) certificate and the private key for that server you are configuring (middle tier alias)
  • Run the SDW configuration

 

Step 3.1: SDW Error - Ensure configuration of the SAS Web Server

  • before making any change, on httpd-ssl.conf you will see SAS has configured SSLCertificateFile and the SSLCertificateKeyFile variables.
  • If you open your IE browser you sill see that probably the certificate chain is incomplete, because you provided the server certificate and key only. Then you will need to ensure the chain is complete.
  • To complete the Apache configuration you will need:
    • Create the chain as per definition seen on Step 1. 
    • Go to ssl folder on the web browser and ensure the following items are there:
      • yourserver.crt, which should be already there thanks to the SAS installer.
      • yourserver.key, which should be already there thanks to the SAS installer.
      • (optional) yourserver-ca.crt, which I expect is the one you received from your IT dep.
      • yourserver_chain.crt, the one you created.
    • Go to the httpd-ssl.conf file and ensure the values are updated in the file

 

 

#   Server Certificate:
SSLCertificateFile "ssl/yourserver.crt"


#   Server Private Key:
SSLCertificateKeyFile "ssl/yourserver.key"

#   Server Certificate Chain:
# (optional) SSLCertificateChainFile "ssl/yourserver-ca.crt"

#   Certificate Authority (CA):
#SSLCACertificatePath "ssl/ssl.crt"
SSLCACertificateFile "ssl/yourserver_chain.crt"
    • Restart the apache server with /bin/httpdctl stop and /bin/httpdctl start
    • Re-validate the connection to your Apache with a browser. This time the certificate path should be OK and you should get a green Lock. If yes, you can continue to the next step, if this is not OK, you need to troubleshoot until ready.

Step 3.2: SDW Error - Ensure the import of the certificates on the SASPrivateJRE

  • With the SAS Deployment Manager (sashome/SASDeploymentManager/9.4/sasdm) you can import the certificates (independent ones, no chain) from all the certificate chain. You need to start from the root one and the last one, just to be sure, it should be your server's independent certificate
  • Once you do this, please stop all the SAS services, and start them again.
  • Once they are all started, try to validate (with the SAS Management Console at /sashome/SASManagementConsole/9.4/sasmc) the SAS Content Server.
  • If you can validate it, you can move on to the next step. If not, something is wrong on the PrivateJRE or the Web Server.

Step 3.3: SDW Error - Resume SAS Deployment Wizard/Configuration

  • Press "Try again"

 

If this still goes wrong, I would not wait longer and definetely get a SAS consultant on-site (with full availability of your certificates provider) or SAS Technical Support.

 

View solution in original post

24 REPLIES 24
JuanS_OCS
Amethyst | Level 16

Hello @japsas100,

 

when you receive those errors:

 

  • the first best thing to do, is to check the logs of the SAS Web App that generated the error. In this case: SASVisualAnalyticsHub.log (under /Config/Lev1/Web/Logs/SASServer12_1).
  • When you go to https://yourserver.com (not necessarily with /SASVisualAnalyticsHub), on the URL tab, do you get a red or green Lock image/icon? That will give you hints if your certificate is correct on the SAS Web Server (~Apache)
  • Do you even manage to get to the Welcome screen of the SAS Web Server?
  • you can try to validate the SAS Content Server on the SAS Management Console. Do you get any error, such as PKIX? This will tell you that the certificate is not correct on the Java store and/or your SAS Web Server http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9...
  • Did you included all the certificates (chain) in all your SASPrivateJRE, on the correct order (Root - CA - certificate), in all your SAS nodes? If not, you should. You can easily do it with the SAS Deployment Mnager.

 

Something else: Did you checked if you have iptables or any firewall blocking the access, from server and client side? You can easily test this with a "telnet yourserver.com 443" assuming that you have set https to port 443.

japsas100
Pyrite | Level 9

Thanks for reply.

 

I have missed the below step.

  • Did you included all the certificates (chain) in all your SASPrivateJRE, on the correct order (Root - CA - certificate), in all your SAS nodes? If not, you should. You can easily do it with the SAS Deployment Mnager

Just want to understand how many files genertally we need to import via deployment wizard .

 

In our case we have 3 files.

1) key file generted by below command 

    

  • genrsa -out sastest01.s.xxxxxx.xx.key 2048

2) 2 files received from IT dept for site-signed 

 One is in .pem format and other have plain file like below :

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----END CERTIFICATE-----

 

I have loaded first file (.pem format ) that we received from IT team after convert into via below command

openssl x509 -in /opt/sas/key/Certificate_Authority.pem -outform PEM -out /opt/sas/key/Certificate_Authority1.pem

 

and another loaded intermediated file receieved from IT team as defined above.

 

But when I going to load .key file (private key) its throwing error like 

Singed overrun: bytes 920

verify the file contain certificates in proper encoding.

 

Could you please advise weather I am going into right direction and how we can fix above error.

 

 

JuanS_OCS
Amethyst | Level 16

Hi @japsas100,

 

you will need to know first the certificate chain/path of your certificate. THis certificate was probably issues by a CA (Certificate Authority) and this CA has probably a Root CA... and so on. You will need to have the certificate of each of them, on PEM (Base 64 encoding/plain format) format.

 

Once you get them, you will need to import them into your cacerts (if you are on SAS 9.4 M2 or lower) or into the jscerts (if you are on SAS 9.4 M3 or higher), on the right order. Root certificate, dependant CAs and the last one, your certificate of this machine.

japsas100
Pyrite | Level 9

Thanks....

 

We have received only one root certificate file from IT team thats is in .pem format and other one like below : 

-----BEGIN CERTIFICATE-----

 

XXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

All above file I have imported via sas depmoment wizard.

 

You mentioned "last one, your certificate of this machine." Could you please confirm file name called or where we get this file?

 

Pl explian in details as I am very new to this kind of work.

JuanS_OCS
Amethyst | Level 16

I Initially expect the good certificate would be this version

-----BEGIN CERTIFICATE-----

 

XXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

 

Let's go step by step. First step:

 

So, you imported the certficate with the SAS deployment manager, and I assume you also put the certificate on the SAS Web Server.

If you start the SAS Web Server only, and you try to go the https://yourserver.com URL with IE, or Chrome, you will get a red or green lock, right? If you right click or click on this lock, you will get information of your certificate and it will tell you if all certificates are OK or any of them are not OK or is missing.

 

Please let us know the results of this exercise.

japsas100
Pyrite | Level 9

Thanks ....

 

-----BEGIN CERTIFICATE-----

 

XXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

 

and other file have same format at the bottom of the file and addtional details like 

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: xxxxxxxxxxxxxxxxxxxxxxx
Issuer: C=xx, O=xxxxxx, CN=xxxxx Certificate Authority
Validity
Not Before: Oct 1 00:00:00 2015 GMT
Not After : Oct 1 00:00:00 2035 GMT
Subject: C=xx, O=xxxxx, CN=xxxxx Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption

...

Signature Algorithm: xxxxxxxxxxxxxxxxx

 

-----BEGIN CERTIFICATE-----

 

XXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXX

-----END CERTIFICATE-----

 

Please advise which file I need to pick in first step and how I can put the certificate on the SAS Web Server?

japsas100
Pyrite | Level 9

Hi ,

When I validate the certificate its throwing below error:

 

[sas@sastest01 bin]$ /opt/sas/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

japsas100
Pyrite | Level 9

We have installed and deployed sas va7.3 on distributed env with http security.
 
Now we have converted into https as per sas process but still we are able to open sas portal. Its throwing below error:
 
URL https://sastest01.xxxx.xx/SASVisualAnalyticsHub
 
This site can’t be reached
sastest01.xxxxxx.xxx refused to connect.
 
When we trying to open link without SASVisualAnalyticsHub, its showing the welcome page in blue color
 
https://sastest01.xxxx.xx/
 
also see that This page is secure (valid HTTPS). in green color.
 
Please advise.

mikev
Calcite | Level 5

Hey @japsas100,

 

Did you follow steps 7 and 8 of http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9... and restart the webtier afterwards? Otherwise the communication between the webserver and webapp server will be broken, which your errors suggests is now the case. (The proxy will work, the reverse proxy won't)

 

You might find some more info about the error in the webserver log or in the catalina.out file from the SASServer that runs your VA.

 

Furthermore, if this is a fresh installation, I would suggest starting over and enabling https during the configuration (make sure to load your root and intermediate certificates in the keystore between installation and configuration when you have your own CA). You might have issues applying hotfixes otherwise (you might need to revert to http before the hotfixes, or change the loadcontent scripts to connect to https).

 

About your error with the jks file. The default password for the keystores is 'changeit'. Did you try that password?

 

grtz,

-- Mike

japsas100
Pyrite | Level 9

Thanks for email.

 

Finally I am able to login to https://sastest01.xxxxx.xx/SASLogon/login.  its asking the userid and password then it showing below screen: -

 

You have signed in.

For increased security, sign out and close your web browser when you finish accessing services that require authentication.

 

But when I use below login with https://sastest01.xxxxx.xx/SASVisualAnalyticsHub/index.jsp .....its again throwing below error: 

his site can’t be reached

sastest01.xxxx.xx refused to connect.

 

I have made all the changes as per below document.

 

http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9...
 

Please advise?

 

japsas100
Pyrite | Level 9

Any suggestion on my last query!!!

JuanS_OCS
Amethyst | Level 16

Hello @japsas100,

 

you should have no problems if you followed the indications provided by @mikev and previously provided also by myself.

 

Let's check something, really simple: are you able to connect to http://sastest01.xxxxx.xx:8080 , http://sastest01.xxxxx.xx:8180 and http://sastest01.xxxxx.xx:9180? This should test if your ports to SASServer1_1, 2_1 and 12_1 are blocked or not. They shouldn't.

 

Also, could you please check the logs of WebServer/logs/errors WebAppServer12_1/logs/server.log ?

 

PS: Did you open a parallel track with SAS Technical Support? Since it seems you are a bit under the stress of a deadline, and you are not getting many responses here, you would like to cover all your bases, while we can still try to help you.

japsas100
Pyrite | Level 9

Thanks JuanS_OCS
Yes I can open http://sastest01.s.xxxx.xx:8080/ with any issue. But I cant see any any servers SASServer12_1 .....

I alredy spent so much time on this issue. I am going to reinstall the sas again.

This time i will configure the HTTPS during the sas installation . I have one question regarding regarding the certification....

Could you please guide on which certificate we can use during installation of SAS Web Server:.

During installation SAS asking two files for HTTPS
1) X509 Certificate
2) RSA private key

Just want to update you we have received two certificates (site certificate) from IT team

1) Root certificate
2) server certificate

Both these certificates have same format like

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Can you please explain where we are going to use these two certificates during and post installation step.

JuanS_OCS
Amethyst | Level 16

Hello @japsas100,

 

yeah, I see the unnecessary extra time here. Good idea to re-install, because you can do the direct configuration of SSL on a single step.

 

Those 2 certificates look good as what SAS will expect. You can start by using the server certificate.

 

Just some heads-up: During the configuration of the Web Infrastructure Services on the middle tier, it "might" give you an error. If you open the link of the log with the error, you will quickly see it is a PKIX error. The solution is on the followign procedure:

 

  • While you keep open the SAS Deployment Wizard with the error, you can open the SAS Deployment Manager, then you import the Root certificate, then the server certificate (just to be sure). This will add the certificates and chain to the SASPrivateJRE certificate store (jre/lib/secure/jscerts).

 

(Your Server Certificate - ssl.crt)

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----



(Your Intermediate CA Certificate(s)) 

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----



(Your Root CA Certificate)

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----

 

 

  • Check the httd-ssl.conf of your Web Server, to ensure the httpd service will run with the right certificate and chain (sss certificate chain, you can include the new my_certificate_chain.cer we created)

 

  • Stop manually the SAS Web Server and the SAS Web Application Servers (1_1, 2_1, 12_1)

 

 

  • Start the SAS Web Application Servers (1_1, 2_1, 12_1)

 

  • On the SAS Deployment Wizard that is on-hold, click on retry.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 24 replies
  • 7292 views
  • 10 likes
  • 4 in conversation