Hello @japsas100,

yes, you will need to stop every running process running under /opt/sas, including the httpd server. Although not sure why ./sas.servers stop did not stopped this service.

Hope it helps!

Juan

Thanks JuanS_OCS,

This service was not stopped by  ./sas.servers because this it insatllad with root user and other services with sas user. 

Do we need to stop the below service as well?

as 2479 1 0 Jun05 ? 00:02:49 /opt/sas/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/java -Xmx512m -Declipse.ignoreApp=true -Dosgi.logfile=logs/osgi.log -Dsolstice.input.properties=config/agent.properties -cp plugins/org.eclipse.equinox.launcher_1.2.0.v20110502.jar org.eclipse.equinox.launcher.Main -configuration configurations/agent -noExit
ss

---

@japsas100 wrote:

Thanks JuanS_OCS,

 

This service was not stopped by  ./sas.servers because this it insatllad with root user and other services with sas user. 

 

Do we need to stop the below service as well?

 

as 2479 1 0 Jun05 ? 00:02:49 /opt/sas/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/java -Xmx512m -Declipse.ignoreApp=true -Dosgi.logfile=logs/osgi.log -Dsolstice.input.properties=config/agent.properties -cp plugins/org.eclipse.equinox.launcher_1.2.0.v20110502.jar org.eclipse.equinox.launcher.Main -configuration configurations/agent -noExit
ss

---

According to your initial post,

sas       2889     1  0 Jun05 ?        00:00:40 /opt/sas/sashome/SASWebServer/9.4/httpd-2.2/bin/httpd.worker -d /opt/sas/config/Lev1/Web/WebServer

the service runs under user sas. Everything under /opt/sas/sashome should be installed with user sas, and only a selected group of files is changed to owner root after the install. httpd is not among those. So you either commited a blunder in the original install, or you must have misread something.

Hello,

 @Kurt_Bremser: I believe you are wrong in a little detail: if you want an httpd service to be started on a restricted port (bellow 1024) such as default http port 80 or https port 443, the service MUST run as priviledged user (root). To the config of Appache you can tell him that subprocesses can be started as sas user and sas group, but the initial service must be started as root/priviledged user.

There are some workarounds to this, as modifig the port bindings to privliledged users, and re-routing... but those are actually not very secure/manageable options.:

https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileg...

https://serverfault.com/questions/112795/how-to-run-a-server-on-port-80-as-a-normal-user-on-linux

@japsas100: yes, every process on "ps" that runs below your /opt/sas folder. 

The process in the OP has a PPID of 1, so it is the main httpd, meaning that was started as user sas. For a typical "standard" apache setup for ports 80 & 443, the process with PPID 1 would run as root, while all children would run as nobody.

Thanks JuanS_OCS,

Ok, may be I misread something during installation. 

Httpd service has a sas user ownership (please see below) but to start and stop this service required root access. How we can fix this issue before upgrading the maintanice M4.

Can you also share the step to fix this issue.

cd /opt/sas/config/Lev1/Web/WebServer/conf/extra

-rw-r--r--. 1 sas sas 11241 Mar 18 12:55 httpd-ssl.conf

@japsas100, you can see the workaround on my first link, to modify restricted port bindings. Although I would keep stopping/starting the service as root, and let Apache to launch the httpd workers as sas user, to maintain Linux standards..

Thanks JuanS_OCS,

If we do not make any changes, Does this make any impact during upgrade from M3 to M4?

One think I noticed earlier, when we have reboot linux server after installation, if we open sas portal on new browser with https its throwing security error and same issue I alredy raised earlier on sas community howerver, there is no security issue if we open sas portal on old browser where certificate alredy installed.

https://communities.sas.com/t5/Administration-and-Deployment/HTTPS-ERROR-After-Server-Reboot/m-p/362...

The only impact is that you will have an error everytime SDW/SDM will try to start the Web Server. It won't be able to. Once you start it manually, it should not be a problem, you click on retry and SDW/SDM should be able to resume.

The only option to prevent/workaround those errors is to temporary change the restricted port and user root to a non restricted port and user sas, but this might take you around alf of a day if you have not done it before (because you need to change metadata and config files).

http://support.sas.com/documentation/cdl/en/bimtag/69826/HTML/default/viewer.htm#n0haeml26dr4fmn1it9... (and sub-links)

About that other issue, I don't know what else to tell you besides what it is already on that thread. If you have unclear points, let's continue on that thread better, to separate topics.

Thanks for details.

One last question, During maintaince upgrade, do we again add site-signed certificates file after deplyment?

I am refering here step 7 of  sas installation guide. FYI we hare going to upgrade from 9.4M3 to M4.

http://support.sas.com/documentation/cdl/en/whatsdiff/66129/HTML/default/viewer.htm#installsteps.htm

Generally speaking, you don't, but maybe you will need them, if the jscerts store gets empty.

I would definetely keep them on the reach of your hand, just in case they are needed. Otherwise, you can use tools to get them from the web server and import them into the java certificate store. http://support.sas.com/kb/57/370.html (I LOVE this tool).

Anyway, to add the certificates should not take more than 5 additional minutes.

This tool is only supported window env not linux. Anyway I will add these certificates again.

Can you please share the order to add these certificates. We are using site certificate and have only two files: - Root Certificate and the Server Certificate

Never tried to run it on Linux, since it is a jar from java, I was under the understanding that, as far as you do have X11 enabled, you could run it. Anyway, thanks, good to know.

About the order for certificates import, is always the Root CA certificate first, then the local CA (if you do have any), and then the server certificate.

Thanks for quick reply.

Could you please advise what would be default password of sas various internal users? 

When I type sastrust@saspw password for sastrust@saspw user its throwing error like incorrect password.