Solved: Re: HTTPS ERROR - Page 2

japsas100 · Posted 03-16-2017 10:01 AM

Thanks you soo much JanS_OCS
Just want to check where we want to add my_certificate_chain.cer file and if we want to add this file under /opt/sas/config/Lev1/Web/WebServer/conf/extra/httpd-ssl.conf then can share the where exactly want to add and with syntax.

Can you please share full command to stop SAS Web Server and the SAS Web Application Servers.

During installation we have to defined the sas webapp server like SASServer1_1 SASServer1_2etc....How much we have to defined there server?.
By default it will create three set of sas web server? last time when I was not defined it created only one SASServer1_1

JuanS_OCS · Posted 03-16-2017 10:21 AM

You are so welcome 🙂

you can store that certificate chain into the Web/WebServer/ssl directory, together with the server certificate and its private key.

For starting and stoping the servers, you can execute the Lev1/Web/WebServer/bin/httpdctl {stop|start|status} and for the complete middle tier, you can use the Lev1/sas.servers {start|stop|status} script.

You can deploy your SAS Web Applications on a single Web Application Server SASServer1_1, but I personally deploy them on multiple server, to simply my administrations tasks, they become more manageable. During the deployment of your middle tier, the SDW will ask you if you want to deploy them on multiple machines. http://support.sas.com/documentation/cdl/en/biig/69172/HTML/default/viewer.htm#n05020intelplatform00... (see: Web Application Server: Multiple Servers)

japsas100 · Posted 03-16-2017 10:38 AM

Thanks Again!!!

Last question where we can use rsa private key file during installation.

JuanS_OCS · Posted 03-16-2017 10:54 AM

No problem!

On the same link on my previous comment, you can read some lines above:

SAS Web Server: Location of X509 Certificate and RSA Private Key
If you already have an X.509 certificate, enter their locations. When you are finished, click Next.
In X509 Certificate, enter the path to the valid X.509 certificate with the DNS name of this machine as the Common Name (CN).
In RSA private key, enter the path to the RSA private key that is not protected by a passphrase.
For more information, see SAS Intelligence Platform: Middle-Tier Administration Guide.

japsas100 · Posted 03-16-2017 11:34 AM

Thanks .....

Please confrim whether I am going into right direction

Create below files using notepad and moved to WebServer/ssl director.

sastest.abc.com.crt -----merged file of server and root certificate in same order

sastest.abc.com.key -----private key file.

Just want to understand , do we need to give any link /refrence of these files any where bcz these are not the sas standead names or script will pick automatically from this dir.

japsas100 · Posted 03-16-2017 04:52 PM

Hi JuanS_OCS,
During configration I got the same error (PKIX error) as you mentioned in your last node and I have made the same changes as per your note.
When I started the server and I got the greek color.
but when i resume sas deployment wizard process i got another error.

Override ignored for property "webinfpltfm.setroledisplayname.msg"
[setAuthorityDisplay] [echo] Setting output prop rc
[setAuthorityDisplay]
Override ignored for property "webinfpltfm.setroledisplayname.returncode"
[echo] setAuthorityDisplay return code: 500
[echo] setAuthorityDisplay status: Created roles
[propertyfile] Updating property file: /opt/sas/config/Lev1/Logs/Configure/webinfpltfm_config_status.properties
BUILD FAILED
/opt/sas/sashome/SASWebInfrastructurePlatform/9.4/Config/webinfpltfm_config.xml:4111: The following error occurred while executing this line:
/opt/sas/sashome/SASWebInfrastructurePlatform/9.4/Config/webinfpltfm_config.xml:4065: Created roles
at org.apache.tools.ant.ProjectHelper.addLocationToBuildException(ProjectHelper.java:541)
at org.apache.tools.ant.taskdefs.MacroInstance.execute(MacroInstance.java:394)

and when i opened the https://sastest01.xxxxxx.xx/SASVisualAnalyticsHub/index.jsp its throw below error

HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Please advise.

japsas100 · Posted 03-17-2017 03:25 AM

We have started again fresh installation with root certificate and server certificate. We got he below error :

[webserverTarget] 2017-03-17 01:02:41,082 [main] DEBUG com.sas.appserver.vfabrcersvrc.Server - runServerScript() start >>>[webserverTarget] 2017-03-17 01:02:41,082 [main] DEBUG com.sas.appserver.vfabrcersvrc.Server - runServerScript() start >>>[webserverTarget] 2017-03-17 01:02:41,097 [main] INFO com.sas.appserver.utils.AntProcessInvoker - Environment Variables:[webserverTarget] 2017-03-17 01:02:41,101 [main] INFO com.sas.appserver.utils.AntProcessInvoker - Working Directory: /opt/sas/config/Lev1/Web/WebServer[webserverTarget] 2017-03-17 01:02:41,101 [main] INFO com.sas.appserver.utils.AntProcessInvoker - Executable: /opt/sas/config/Lev1/Web/WebServer/bin/httpdctl[webserverTarget] 2017-03-17 01:02:41,101 [main] INFO com.sas.appserver.utils.AntProcessInvoker - Arguments:[webserverTarget] 2017-03-17 01:02:41,101 [main] INFO com.sas.appserver.utils.AntProcessInvoker - start[webserverTarget] [exec] (13)Permission denied: make_sock: could not bind to address [::]:443[webserverTarget] [webserverTarget] [exec] (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443[webserverTarget] [webserverTarget] [exec] no listening sockets available, shutting down[webserverTarget] [webserverTarget] [exec] Unable to open logs[webserverTarget] [webserverTarget] [exec] Result: 1

When I started to execute below command with root user it throw below error and noticed 443 service not listining on linux server.

Path /opt/sas/config/Lev1/Web/WebServer/logs:-

[Fri Mar 17 08:23:58 2017] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 17 08:23:58 2017] [warn] RSA server certificate CommonName (CN) `xxxxxxxxxxxxxxxxxxxxxx' does NOT match server name!?
[Fri Mar 17 08:23:58 2017] [error] Unable to configure RSA server private key
[Fri Mar 17 08:23:58 2017] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

[root@sastest01 tmp]# /opt/sas/config/Lev1/Web/WebServer/bin/httpdctl start
Starting pivotal httpd
Server start FAILED

Please advise.

JuanS_OCS · Posted 03-17-2017 06:06 AM

Let's see. Step by step.

Objectives to achieve here:

Ensure the certificates are installed on every windows client and you can validate them.
Execute the SDW and provide the (independent) server certificate and the private key as per instructions
In case the deployment gives errors"
1. Ensure configuration of the SAS Web Server (Apache) certificates (independent server cert, ind. priv key, and cert chain) and validate it. This is not really SAS-related. Any Web system admin at your company should be able to help you.
2. Ensure the import of the certificates on the SASPrivateJRE by importing the independent certs
3. Resume SDW by "Try Again"

Step 1: Windows - install and validate the server certificate

Install the server certificate on windows (server and local stores)
Open the certificate and see the path. You will need to have available (crt files) and installed on windows the previous certificates on its path.
I expect that is the one you already received, although you might be missing some.

Step 2: SDW - provide certificates

Provide the standalone (not the chain) certificate and the private key for that server you are configuring (middle tier alias)
Run the SDW configuration

Step 3.1: SDW Error - Ensure configuration of the SAS Web Server

before making any change, on httpd-ssl.conf you will see SAS has configured SSLCertificateFile and the SSLCertificateKeyFile variables.
If you open your IE browser you sill see that probably the certificate chain is incomplete, because you provided the server certificate and key only. Then you will need to ensure the chain is complete.
To complete the Apache configuration you will need:
- Create the chain as per definition seen on Step 1.
- Go to ssl folder on the web browser and ensure the following items are there:
  - yourserver.crt, which should be already there thanks to the SAS installer.
  - yourserver.key, which should be already there thanks to the SAS installer.
  - (optional) yourserver-ca.crt, which I expect is the one you received from your IT dep.
  - yourserver_chain.crt, the one you created.
- Go to the httpd-ssl.conf file and ensure the values are updated in the file

#   Server Certificate:
SSLCertificateFile "ssl/yourserver.crt"


#   Server Private Key:
SSLCertificateKeyFile "ssl/yourserver.key"

#   Server Certificate Chain:
# (optional) SSLCertificateChainFile "ssl/yourserver-ca.crt"

#   Certificate Authority (CA):
#SSLCACertificatePath "ssl/ssl.crt"
SSLCACertificateFile "ssl/yourserver_chain.crt"

- Restart the apache server with /bin/httpdctl stop and /bin/httpdctl start
- Re-validate the connection to your Apache with a browser. This time the certificate path should be OK and you should get a green Lock. If yes, you can continue to the next step, if this is not OK, you need to troubleshoot until ready.

Step 3.2: SDW Error - Ensure the import of the certificates on the SASPrivateJRE

With the SAS Deployment Manager (sashome/SASDeploymentManager/9.4/sasdm) you can import the certificates (independent ones, no chain) from all the certificate chain. You need to start from the root one and the last one, just to be sure, it should be your server's independent certificate
Once you do this, please stop all the SAS services, and start them again.
Once they are all started, try to validate (with the SAS Management Console at /sashome/SASManagementConsole/9.4/sasmc) the SAS Content Server.
If you can validate it, you can move on to the next step. If not, something is wrong on the PrivateJRE or the Web Server.

Step 3.3: SDW Error - Resume SAS Deployment Wizard/Configuration

Press "Try again"

If this still goes wrong, I would not wait longer and definetely get a SAS consultant on-site (with full availability of your certificates provider) or SAS Technical Support.

japsas100 · Posted 03-17-2017 06:39 AM

Thanks Juan_S_OCS

teelov · Posted 02-21-2018 04:12 AM

What a fantastic post - great help top all!!