Re: How to configure SAS Web server for HTTPS

Madhan_cog1 · Posted 09-21-2020 07:26 AM

Hi All,

We have installed and configured SAS 9.4M5 Grid version(Multi tier architecture).

Could you please suggest how to configure HTTPS for Web server.

We are able to access the Mid tier components only through HTTP now.

Please suggest how to configure for HTTPS.

Thanks,

Madhan M.

JuanS_OCS · Posted 09-21-2020 07:31 AM

Hello @Madhan_cog1 ,

Mainly you will need to follow this document (and links in it), to switch the SAS Web server to HTTPS

https://documentation.sas.com/?docsetId=bimtag&docsetTarget=n0nakjyj6hlqmvn11p9p04l25j9n.htm&docsetV...

Do you need to change the SAS Web Application Server(s) to HTTPS? In that case you would need to follow these steps as well:

https://documentation.sas.com/?docsetId=bimtag&docsetTarget=n1enfdk7f1fjcqn1ggbrx79lm9i0.htm&docsetV...

Normally with the first document is enough, given that is the only requirement from your Security Office.

Best regards.

Juan

Anand_V · Posted 09-22-2020 01:58 AM

Hi @Madhan_cog1

Please follow the steps shared by @JuanS_OCS . Also I would advise in the future it's good to enable HTTPs during configuration phase itself as you can avoid a lot of manual changes and errors caused due to it. Depending upon the web applications deployed at your site it will only add to the complexity.

Madhan_cog1 · Posted 09-22-2020 07:50 AM

Hi Juan/Anand,

Thanks for your response.

As suggested we are trying to enable HTTPS during configuration phase in a different level(Lev1)..

We are facing some issues while configuring HTTPS in web server.

SAS Deployment Wizard was prompting for the path for X509 certificate and RSA private key.

We used the below link to get the path for X509 and RSA private key but we are still facing issues.

https://documentation.sas.com/?docsetId=secref&docsetTarget=p0gy97oedcx0fin1n83srxchqpzk.htm&docsetV...

Am attaching some screenshot in the document for reference.

Could you please suggest how to get the path for X509 and RSA Private key.

A sample snippet from the error:

2020-09-22 13:07:10,155 [main] ERROR com.sas.sdw.SDWExceptionHandler - java.io.IOException: Source '/etc/pki/tls/certs' exists but is a directory

Thanks,

Madhan M.

Anand_V · Posted 09-22-2020 10:17 AM

I saw the snap in the attached document. You will have to provide full path along with the ssl certificate file name in the first box and full path along with the key file name in the second box.

Madhan_cog1 · Posted 09-22-2020 10:30 AM

Hi Anand,

Yes understood but we would like to know how to get the path for RSA Key file . Should we generate RSA Key using SSL and use it .

Thanks,

Madhan M.

Anand_V · Posted 09-22-2020 10:34 AM

Usually the process is first you generate a key using which CSR is generated. CSR is then shared to certificate signing authority CA which generates the cert chain: root - intermediate - host cert and shares it back.

In the SDM you need to provide the CA signed cert and key generated in first step. If your web server and web app server are on different hosts or use alias mention them in CSR under SAN field in order to avoid any errors due to host or alias mismatch.

JuanS_OCS · Posted 09-30-2020 07:32 AM

Hello @Madhan_cog1 ,

is your issue still open? I see that it is running for actually quite a while.

Just in case it is still open, I will keep it real simple:

- I advise your organization security/certificate experts to generate the certificate for you, for an Apache server.

- Just in case you still need to do it, a FAQ that should resolve all your questions. When in doubt, google the errors: https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html

- In any case, what has to be known is:

a) SAS needs all the certificates in the path, in PEM base64 format, and the private key, in same format, and created for the alias you will use in the SDW deployment of your SAS web server.

b) you will need to provide it in the SDM and/or SDW: all the servers needs to have it, and every client with a Java SAS client (eg SAS Management Console) will need to import it with SDM.

Madhan_cog1 · Posted 09-30-2020 07:44 AM

Hi Juan,

Thanks for the response.

We have requested the organization to generate certificates for us. I hope that should solve our problem.

Thanks,

Madhan M

Madhan_cog1 · Posted 10-05-2020 07:02 AM

Hi Juan,

We have received the signed certificate (.pem certificate) from our organization.

We tried to bundle it using SAS Deployment Manager but we are getting error like below:

Failed to validate the certificate path.

Path does not chain with any of the trusted anchors.

Kindly suggest.

Thanks,

Madhan M.

JuanS_OCS · Posted 10-05-2020 07:11 AM

Hello @Madhan_cog1 ,

check the contents of the certificate. Probably this certificate it is just the server certificate (last one in the path).

You will need either the depending certificates (Root CA, Intermediate CA) in the same certificate, or separate. If they are together, you only need to point to that new certificate and import it with SDM. If they are separate, import them in order: first the Root CA, then the Intermediate CAs, then the server certificate as last one. The order is defined in the server certificate.

I personally like to work with separate certificates, but it is not needed, you can work with a chain certificate.

You are almost there, good luck!

Madhan_cog1 · Posted 10-13-2020 10:26 AM

Hi Juan,

Thanks for the response.

Could you please suggest how to add the Root CA and Intermediate CA certificate to the server certificate.

where we can find this Root CA and Intermediate CA certificate..

Thanks,

Madhan M.

Madhan_cog1 · Posted 10-13-2020 10:34 AM

Hi Juan,

Attaching the server.pem file for your reference. Please let us know whether it includes Root CA and Intermediate CA certificate.

Thanks for your help.

Regards,

Madhan M

JuanS_OCS · Posted 10-13-2020 10:51 AM

Hi @Madhan_cog1 ,

I would say the certificate looks good. I believe your certificates are complete and you should be ready to continue your deployment.

See how SAS documentation explains: https://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.5&docsetId=secref&docsetTarget=p1jf3...

I would expect the certificate in the following format, but yours is probably OK too:

https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html

You will need a Private key as well (please do not post it here)

-----BEGIN RSA PRIVATE KEY-----
Base64–encoded private key
-----END RSA PRIVATE KEY-----

As side note, if you are interested in transforming the certificate into a certificate chain, you could:

1- rename extension to .cer

2- extract individual certificates ( Novo ... Root CA, Novo ... Issuing CA, scedevweb)

You can do this by opening your .cer, then click details tab and "Copy to File" button. For the other certificates, go to Certification path tab, click View Certificate and repear the Copy to file step)

3- You can build it by copy/paste contents of each into a .pem file in the following order: https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: scedevweb.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Novo_Issuing_CA.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: Novo_Root_CA.pem)
-----END CERTIFICATE-----

Madhan_cog1 · Posted 10-14-2020 02:47 AM

Hi Juan,

Thanks for the response.

When we try to bundle the .pem certificate using SASDM it fails with the below error.

Failed to validate the certificate path.

path does not chain any of the trust anchors.

Attached the screenshot.

Please let us know if this .pem certificate includes Root CA and intermediate CA or where we can find this certificates.

Thanks,

Madhan M