Hi All,
We have installed and configured SAS 9.4M5 Grid version(Multi tier architecture).
Could you please suggest how to configure HTTPS for Web server.
We are able to access the Mid tier components only through HTTP now.
Please suggest how to configure for HTTPS.
Thanks,
Madhan M.
Hello @Madhan_cog1 ,
Mainly you will need to follow this document (and links in it), to switch the SAS Web server to HTTPS
Do you need to change the SAS Web Application Server(s) to HTTPS? In that case you would need to follow these steps as well:
Normally with the first document is enough, given that is the only requirement from your Security Office.
Best regards.
Juan
Hi @Madhan_cog1
Please follow the steps shared by @JuanS_OCS . Also I would advise in the future it's good to enable HTTPs during configuration phase itself as you can avoid a lot of manual changes and errors caused due to it. Depending upon the web applications deployed at your site it will only add to the complexity.
Hi Juan/Anand,
Thanks for your response.
As suggested we are trying to enable HTTPS during configuration phase in a different level(Lev1)..
We are facing some issues while configuring HTTPS in web server.
SAS Deployment Wizard was prompting for the path for X509 certificate and RSA private key.
We used the below link to get the path for X509 and RSA private key but we are still facing issues.
Am attaching some screenshot in the document for reference.
Could you please suggest how to get the path for X509 and RSA Private key.
A sample snippet from the error:
2020-09-22 13:07:10,155 [main] ERROR com.sas.sdw.SDWExceptionHandler - java.io.IOException: Source '/etc/pki/tls/certs' exists but is a directory
Thanks,
Madhan M.
Hi Anand,
Yes understood but we would like to know how to get the path for RSA Key file . Should we generate RSA Key using SSL and use it .
Thanks,
Madhan M.
Hello @Madhan_cog1 ,
is your issue still open? I see that it is running for actually quite a while.
Just in case it is still open, I will keep it real simple:
- I advise your organization security/certificate experts to generate the certificate for you, for an Apache server.
- Just in case you still need to do it, a FAQ that should resolve all your questions. When in doubt, google the errors: https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html
- In any case, what has to be known is:
a) SAS needs all the certificates in the path, in PEM base64 format, and the private key, in same format, and created for the alias you will use in the SDW deployment of your SAS web server.
b) you will need to provide it in the SDM and/or SDW: all the servers needs to have it, and every client with a Java SAS client (eg SAS Management Console) will need to import it with SDM.
Hi Juan,
Thanks for the response.
We have requested the organization to generate certificates for us. I hope that should solve our problem.
Thanks,
Madhan M
Hi Juan,
We have received the signed certificate (.pem certificate) from our organization.
We tried to bundle it using SAS Deployment Manager but we are getting error like below:
Failed to validate the certificate path.
Path does not chain with any of the trusted anchors.
Kindly suggest.
Thanks,
Madhan M.
Hello @Madhan_cog1 ,
check the contents of the certificate. Probably this certificate it is just the server certificate (last one in the path).
You will need either the depending certificates (Root CA, Intermediate CA) in the same certificate, or separate. If they are together, you only need to point to that new certificate and import it with SDM. If they are separate, import them in order: first the Root CA, then the Intermediate CAs, then the server certificate as last one. The order is defined in the server certificate.
I personally like to work with separate certificates, but it is not needed, you can work with a chain certificate.
You are almost there, good luck!
Hi Juan,
Thanks for the response.
Could you please suggest how to add the Root CA and Intermediate CA certificate to the server certificate.
where we can find this Root CA and Intermediate CA certificate..
Thanks,
Madhan M.
Hi Juan,
Attaching the server.pem file for your reference. Please let us know whether it includes Root CA and Intermediate CA certificate.
Thanks for your help.
Regards,
Madhan M
Hi @Madhan_cog1 ,
I would say the certificate looks good. I believe your certificates are complete and you should be ready to continue your deployment.
See how SAS documentation explains: https://documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.5&docsetId=secref&docsetTarget=p1jf3...
I would expect the certificate in the following format, but yours is probably OK too:
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html
-----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE-----
You will need a Private key as well (please do not post it here)
-----BEGIN RSA PRIVATE KEY----- Base64–encoded private key -----END RSA PRIVATE KEY-----
As side note, if you are interested in transforming the certificate into a certificate chain, you could:
1- rename extension to .cer
2- extract individual certificates ( Novo ... Root CA, Novo ... Issuing CA, scedevweb)
You can do this by opening your .cer, then click details tab and "Copy to File" button. For the other certificates, go to Certification path tab, click View Certificate and repear the Copy to file step)
3- You can build it by copy/paste contents of each into a .pem file in the following order: https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
-----BEGIN CERTIFICATE----- (Your Primary SSL certificate: scedevweb.pem) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: Novo_Issuing_CA.pem) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: Novo_Root_CA.pem) -----END CERTIFICATE-----
Hi Juan,
Thanks for the response.
When we try to bundle the .pem certificate using SASDM it fails with the below error.
Failed to validate the certificate path.
path does not chain any of the trust anchors.
Attached the screenshot.
Please let us know if this .pem certificate includes Root CA and intermediate CA or where we can find this certificates.
Thanks,
Madhan M
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.