03-13-2017 01:13 PM
We have installed and configured sas va distributed env on Linux for HTTP. We have made all the change to in sas files to reconfigured it to HTTPS.
We are not able to access the SASVisualAnalyticsHub its throwing below error
03-17-2017 06:06 AM
Let's see. Step by step.
Objectives to achieve here:
Step 1: Windows - install and validate the server certificate
Step 2: SDW - provide certificates
Step 3.1: SDW Error - Ensure configuration of the SAS Web Server
# Server Certificate: SSLCertificateFile "ssl/yourserver.crt" # Server Private Key: SSLCertificateKeyFile "ssl/yourserver.key" # Server Certificate Chain: # (optional) SSLCertificateChainFile "ssl/yourserver-ca.crt" # Certificate Authority (CA): #SSLCACertificatePath "ssl/ssl.crt" SSLCACertificateFile "ssl/yourserver_chain.crt"
Step 3.2: SDW Error - Ensure the import of the certificates on the SASPrivateJRE
Step 3.3: SDW Error - Resume SAS Deployment Wizard/Configuration
If this still goes wrong, I would not wait longer and definetely get a SAS consultant on-site (with full availability of your certificates provider) or SAS Technical Support.
03-13-2017 02:34 PM - edited 03-13-2017 02:36 PM
when you receive those errors:
Something else: Did you checked if you have iptables or any firewall blocking the access, from server and client side? You can easily test this with a "telnet yourserver.com 443" assuming that you have set https to port 443.
03-14-2017 08:37 AM
Thanks for reply.
I have missed the below step.
Just want to understand how many files genertally we need to import via deployment wizard .
In our case we have 3 files.
1) key file generted by below command
2) 2 files received from IT dept for site-signed
One is in .pem format and other have plain file like below :
I have loaded first file (.pem format ) that we received from IT team after convert into via below command
openssl x509 -in /opt/sas/key/Certificate_Authority.pem -outform PEM -out /opt/sas/key/Certificate_Authority1.pem
and another loaded intermediated file receieved from IT team as defined above.
But when I going to load .key file (private key) its throwing error like
Singed overrun: bytes 920
verify the file contain certificates in proper encoding.
Could you please advise weather I am going into right direction and how we can fix above error.
03-14-2017 08:49 AM
you will need to know first the certificate chain/path of your certificate. THis certificate was probably issues by a CA (Certificate Authority) and this CA has probably a Root CA... and so on. You will need to have the certificate of each of them, on PEM (Base 64 encoding/plain format) format.
Once you get them, you will need to import them into your cacerts (if you are on SAS 9.4 M2 or lower) or into the jscerts (if you are on SAS 9.4 M3 or higher), on the right order. Root certificate, dependant CAs and the last one, your certificate of this machine.
03-14-2017 09:44 AM
We have received only one root certificate file from IT team thats is in .pem format and other one like below :
All above file I have imported via sas depmoment wizard.
You mentioned "last one, your certificate of this machine." Could you please confirm file name called or where we get this file?
Pl explian in details as I am very new to this kind of work.
03-14-2017 10:36 AM
I Initially expect the good certificate would be this version
Let's go step by step. First step:
So, you imported the certficate with the SAS deployment manager, and I assume you also put the certificate on the SAS Web Server.
If you start the SAS Web Server only, and you try to go the https://yourserver.com URL with IE, or Chrome, you will get a red or green lock, right? If you right click or click on this lock, you will get information of your certificate and it will tell you if all certificates are OK or any of them are not OK or is missing.
Please let us know the results of this exercise.
03-14-2017 12:09 PM
I have received two files from IT dep both have same format as per your last email.
one file has below format
and other file have same format at the bottom of the file and addtional details like
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: xxxxxxxxxxxxxxxxxxxxxxx
Issuer: C=xx, O=xxxxxx, CN=xxxxx Certificate Authority
Not Before: Oct 1 00:00:00 2015 GMT
Not After : Oct 1 00:00:00 2035 GMT
Subject: C=xx, O=xxxxx, CN=xxxxx Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Signature Algorithm: xxxxxxxxxxxxxxxxx
Please advise which file I need to pick in first step and how I can put the certificate on the SAS Web Server?
03-14-2017 05:16 PM
When I validate the certificate its throwing below error:
[sas@sastest01 bin]$ /opt/sas/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
03-15-2017 07:53 AM
We have installed and deployed sas va7.3 on distributed env with http security.
Now we have converted into https as per sas process but still we are able to open sas portal. Its throwing below error:
This site can’t be reached
sastest01.xxxxxx.xxx refused to connect.
When we trying to open link without SASVisualAnalyticsHub, its showing the welcome page in blue color
also see that This page is secure (valid HTTPS). in green color.
03-15-2017 09:38 AM
Did you follow steps 7 and 8 of http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0nakjyj6hlqmvn11p9... and restart the webtier afterwards? Otherwise the communication between the webserver and webapp server will be broken, which your errors suggests is now the case. (The proxy will work, the reverse proxy won't)
You might find some more info about the error in the webserver log or in the catalina.out file from the SASServer that runs your VA.
Furthermore, if this is a fresh installation, I would suggest starting over and enabling https during the configuration (make sure to load your root and intermediate certificates in the keystore between installation and configuration when you have your own CA). You might have issues applying hotfixes otherwise (you might need to revert to http before the hotfixes, or change the loadcontent scripts to connect to https).
About your error with the jks file. The default password for the keystores is 'changeit'. Did you try that password?
03-15-2017 10:48 AM
Thanks for email.
Finally I am able to login to https://sastest01.xxxxx.xx/SASLogon/login. its asking the userid and password then it showing below screen: -
You have signed in.
For increased security, sign out and close your web browser when you finish accessing services that require authentication.
But when I use below login with https://sastest01.xxxxx.xx/SASVisualAnalyticsHub/index.jsp .....its again throwing below error:
his site can’t be reached
sastest01.xxxx.xx refused to connect.
I have made all the changes as per below document.
03-16-2017 06:19 AM
you should have no problems if you followed the indications provided by @mikev and previously provided also by myself.
Let's check something, really simple: are you able to connect to http://sastest01.xxxxx.xx:8080 , http://sastest01.xxxxx.xx:8180 and http://sastest01.xxxxx.xx:9180? This should test if your ports to SASServer1_1, 2_1 and 12_1 are blocked or not. They shouldn't.
Also, could you please check the logs of WebServer/logs/errors WebAppServer12_1/logs/server.log ?
PS: Did you open a parallel track with SAS Technical Support? Since it seems you are a bit under the stress of a deadline, and you are not getting many responses here, you would like to cover all your bases, while we can still try to help you.
03-16-2017 08:33 AM
Yes I can open http://sastest01.s.xxxx.xx:8080/ with any issue. But I cant see any any servers SASServer12_1 .....
I alredy spent so much time on this issue. I am going to reinstall the sas again.
This time i will configure the HTTPS during the sas installation . I have one question regarding regarding the certification....
Could you please guide on which certificate we can use during installation of SAS Web Server:.
During installation SAS asking two files for HTTPS
1) X509 Certificate
2) RSA private key
Just want to update you we have received two certificates (site certificate) from IT team
1) Root certificate
2) server certificate
Both these certificates have same format like
Can you please explain where we are going to use these two certificates during and post installation step.
03-16-2017 09:22 AM - edited 03-16-2017 09:23 AM
yeah, I see the unnecessary extra time here. Good idea to re-install, because you can do the direct configuration of SSL on a single step.
Those 2 certificates look good as what SAS will expect. You can start by using the server certificate.
Just some heads-up: During the configuration of the Web Infrastructure Services on the middle tier, it "might" give you an error. If you open the link of the log with the error, you will quickly see it is a PKIX error. The solution is on the followign procedure:
(Your Server Certificate - ssl.crt) -----BEGIN CERTIFICATE----- <PEM encoded certificate> -----END CERTIFICATE----- (Your Intermediate CA Certificate(s)) -----BEGIN CERTIFICATE----- <PEM encoded certificate> -----END CERTIFICATE----- (Your Root CA Certificate) -----BEGIN CERTIFICATE----- <PEM encoded certificate> -----END CERTIFICATE-----
Need further help from the community? Please ask a new question.