BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
JustHangingOn
Fluorite | Level 6

I am still in a bit of a State of Shock!  Upon learning that SAS, as an organization, does not provide support for proper and secure configuration of the Integrated Apache Tomcat Web Server, I was taken aback, to say the least!  How can you provide a Web Interface, but deny any responsibility for configuring SSL\TLS security for that Web Based Product?  When I mentioned to the Server Operations mgr & the Information Security Officer, it was several minutes before they could contain their laughter!!

 

I am trying to import a CA Signed Cert into the Tomcat Keystore file.  The instructions provided are 3rd party and therefore rather generic and difficult to follow.  Instructions want the keychain file and the Cert file imported separately.  The Cert file that I have is the Cert and Chain bundled together, and I suspect that may be the source of my troubles, but since SAS does not support the activity, I am not sure whom I can ask for guidance.  My importation step received a Successful report.  When I try to start the SASStudioWebAppServer it fails with java.io.IOException: Alias name (Aliasname) does not identify a key entry.  

 

Has anyone completed a configuration of a CA Signed Cert into their KeyStore file?  Have a set of steps/procedures that you can share?  

1 ACCEPTED SOLUTION

Accepted Solutions
shayne
SAS Employee

Hi JustHangingOn - 

 

I certainly understand your frustration, and I'm sorry to hear that you were not happy with your call with SAS Technical Support.

 

To start, let's clarify terms: when a SAS Technical Support Representative says that something is "not supported", it does not mean it cannot be done or it will not work with our software. If something is "not supported" by SAS, it means that SAS Technical Support cannot necessarily assist you in implementing or troubleshooting the configuration. I'm sorry to hear this was not explained when you spoke with the technical support representative. In your specific scenario, SAS Technical Support is not the best resource to assist you because the product that is being configured (Apache Tomcat web application server) is not developed internally by SAS. The third-party that developed this application is a far better resource than SAS to assist you in achieving your goal. Please see the instructions for configuring a CA certificate with an Apache Tomcat web application server which are published by Apache. 

 

Second I wanted to note that while the SAS documentation link our reference to SASStudioWebAppServer leads me to believe you are running SAS Studio Basic edition. If that is correct, then you can use the documentation associated with configuring TLS for that edition. These instructions are for using a self-signed certificate rather than a certificate generated by an official certificate authority (CA), but you can refer to the official Apache documentation linked above to achieve your desired configuration using the CA certificate.

 

SAS supports a portfolio of hundreds of SAS-developed applications so we are limited in providing complete support for all possible configurations of third-party products used by our applications. I understand based on your previous posts in this thread you may not agree with this decision, but I hope the information I have provided above helps to clarify your expectations for the free technical support services provided by SAS and leads to a more positive experience in the future. 

 

I'm glad that you have successfully achieved your goal of configuring TLS with SAS Studio using a CA certificate by reading the very helpful information provided by JuanS_OCS

 

Thank you for your feedback, and thank you for using SAS!

View solution in original post

7 REPLIES 7
Kurt_Bremser
Super User

IMO, that's a side-effect of the less-than-optimal decision to employ a third party for an open source product.

If I were SAS, I'd have set up a small department for the configuration of the apache/tomcat stack, and kept the compilation of the necessary open source parts in-house. Then it would also be much easier to quickly supply the customers with updated products whenever a new apache/tomcat version is released.

Right now we all are working with outdated software that has security issues. If "my" SAS/data warehouse website were not contained behind the company firewall, I would not be allowed to run it.

JuanS_OCS
Amethyst | Level 16

Hello @JustHangingOn,

 

Yes, many times. I am sorry to hear about your problem, but I can hardly see how SAS is to be blamed for this, to be honest (I am not SAS employee). I think your question it is about generic IT/Security, than product based. Let me explain:

 

- Please give a look into http://documentation.sas.com/?docsetId=bimtag&docsetTarget=n0nakjyj6hlqmvn11p9p04l25j9n.htm&docsetVe...

 

- Your error can be googled, you will see it is very generic. And actually, you can already find the answers

 

https://stackoverflow.com/questions/8799660/tomcat-ssl-error-alias-name-does-not-identify-a-key-entr...

https://stackoverflow.com/questions/11303107/ssl-certificate-on-tomcat-alias-name-does-not-identify-...

 

- When the CA will issue the certificate, the alias must be valid and capable of being resolved (this is true for the CA, intermediates and server certificate). The certificate chain must be valid and the certificates must be on appropriate format. SAS works with PEM (base-64) certificates.

 

-  SAS provides a way to update the certificates (CA signed are the best, actually), the SAS Deployment Manager. This tool will update the certificates on your SASPrivateJRE (Java store) and your web server... but on previous maintenance you need to do this manually, which is easy eanyway with keytool and the httpd-ssl.conf file on the Web Server.

 

I can imagine your frustration comes down to the urgency of the change and the stability. My best suggestion is that, when you have some urgent matters, you might share the question here, but you can also give a call to your SAS Technical Support, always willing to help.

 

 

JustHangingOn
Fluorite | Level 6

Greatly appreciate your links.  The first link had the needed information, and for that, I am most grateful!!

 

As to the place to put the responsibility for supporting this beast, I disagree.  If SAS did not want to support the Baked In Apache Tomcat Server, they should not have integrated the Web Server and Web interface into their product.  They sold it with an Web Interface, they have responsibility to support the product that they designed and put on the market!  If they do not wish to support the headaches of Tomcat Server, they should come up with a different user Interface!

JuanS_OCS
Amethyst | Level 16

@JustHangingOn, glad to know it helped.

 

I cannot understand at this moment why you say that it is not supported by SAS, when the document that helped you it is on the documentation site from SAS.

JustHangingOn
Fluorite | Level 6

Because when I called SAS support they said "We do not support that configuration!"  That is why...  

JuanS_OCS
Amethyst | Level 16

Well, that is interesting, because clearly SAS as company does support SSL configurations, hence the URL that I have sent to you (from SAS).

My current understand and without knowing more, I clearly see now where your frustration may come from, although I believe that sentence came from a possible miscommunication. Anyway, my best advise here: perhaps, you can send an email to your SAS Technical Support, to let them know you found the solution, in the SAS documentation itself. This would improve their knowledge base and help others, same than here in the Communities.

shayne
SAS Employee

Hi JustHangingOn - 

 

I certainly understand your frustration, and I'm sorry to hear that you were not happy with your call with SAS Technical Support.

 

To start, let's clarify terms: when a SAS Technical Support Representative says that something is "not supported", it does not mean it cannot be done or it will not work with our software. If something is "not supported" by SAS, it means that SAS Technical Support cannot necessarily assist you in implementing or troubleshooting the configuration. I'm sorry to hear this was not explained when you spoke with the technical support representative. In your specific scenario, SAS Technical Support is not the best resource to assist you because the product that is being configured (Apache Tomcat web application server) is not developed internally by SAS. The third-party that developed this application is a far better resource than SAS to assist you in achieving your goal. Please see the instructions for configuring a CA certificate with an Apache Tomcat web application server which are published by Apache. 

 

Second I wanted to note that while the SAS documentation link our reference to SASStudioWebAppServer leads me to believe you are running SAS Studio Basic edition. If that is correct, then you can use the documentation associated with configuring TLS for that edition. These instructions are for using a self-signed certificate rather than a certificate generated by an official certificate authority (CA), but you can refer to the official Apache documentation linked above to achieve your desired configuration using the CA certificate.

 

SAS supports a portfolio of hundreds of SAS-developed applications so we are limited in providing complete support for all possible configurations of third-party products used by our applications. I understand based on your previous posts in this thread you may not agree with this decision, but I hope the information I have provided above helps to clarify your expectations for the free technical support services provided by SAS and leads to a more positive experience in the future. 

 

I'm glad that you have successfully achieved your goal of configuring TLS with SAS Studio using a CA certificate by reading the very helpful information provided by JuanS_OCS

 

Thank you for your feedback, and thank you for using SAS!

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 1429 views
  • 7 likes
  • 4 in conversation