@YvetteS,

Please clarify, which application they are using? SAS Environment Manager? SAS Studio 4? SAS Studio 5? SAS Home?

From the "SAS Home" link to login into Viya for VA

@YvetteS,

Thanks, please check the most recent log file in /opt/sas/viya/config/var/log/saslogon/default directory. Do you see any errors there?

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

        at

Looks like some sort of certificate issue - forgive me I am not a server administrator, and am working with our IT dept who has little experience with this as Zencos did the install - so if you have any trouble shooting steps that would be appreciated.

Another Log Snip

[root@cawina06 default]# grep ERROR sas-saslogon_2018-09-09_10-27-48.log

2018-09-09 10:28:26.901 ERROR 24451 --- [n Asynchronous4] c.s.credentials.bootstrap.DomainLoader   : service [82854b7902879700] [domain.create.error.fmt.log] Error creating credentials domain Domain: /credentials/domains/kerberos (GSSCredential) 405 Method Not Allowed

2018-09-09 10:28:26.909 ERROR 24451 --- [n Asynchronous5] c.s.c.bootstrap.ConfigurationLoader      : service [01b40d7d4017b355] [CONFIGURATION_BOOTSTRAP_RESTCLIENT_EXCEPTION] POST encountered an exception attempting to invoke the [HTTPMethod=com.sas.configuration.bootstrap.ConfigurationLoader@7b91d9f][endPoint=/configuration/definitions]

2018-09-09 10:28:28.240 ERROR 24451 --- [n Asynchronous4] c.s.credentials.bootstrap.DomainLoader   : service [82854b7902879700] [domain.create.error.fmt.log] Error creating credentials domain Domain: /credentials/domains/kerberos (GSSCredential) 405 Method Not Allowed

2018-09-09 10:28:31.911 ERROR 24451 --- [n Asynchronous4] c.s.credentials.bootstrap.DomainLoader   : service [82854b7902879700] [domain.create.error.fmt.log] Error creating credentials domain Domain: /credentials/domains/kerberos (GSSCredential) 405 Method Not Allowed

2018-09-09 10:28:31.916 ERROR 24451 --- [n Asynchronous5] c.s.c.bootstrap.ConfigurationLoader      : service [25697dcb24315ddc] [CONFIGURATION_BOOTSTRAP_RESTCLIENT_EXCEPTION] POST encountered an exception attempting to invoke the [HTTPMethod=com.sas.configuration.bootstrap.ConfigurationLoader@7b91d9f][endPoint=/configuration/definitions]

2018-09-09 10:28:36.981 ERROR 24451 --- [n Asynchronous4] c.s.credentials.bootstrap.DomainLoader   : service [82854b7902879700] [domain.create.error.fmt.log] Error creating credentials domain Domain: /credentials/domains/kerberos (GSSCredential) 405 Method Not Allowed

2018-09-09 10:28:41.925 ERROR 24451 --- [n Asynchronous5] c.s.c.bootstrap.ConfigurationLoader      : service [e20c3168892a974b] [CONFIGURATION_BOOTSTRAP_RESTCLIENT_EXCEPTION] POST encountered an exception attempting to invoke the [HTTPMethod=com.sas.configuration.bootstrap.ConfigurationLoader@7b91d9f][endPoint=/configuration/definitions]

2018-09-09 10:28:49.371 ERROR 24451 --- [n Asynchronous4] c.s.credentials.bootstrap.DomainLoader   : service [82854b7902879700] [domain.create.error.fmt.log] Error creating credentials domain Domain: /credentials/domains/kerberos (GSSCredential) 405 Method Not Allowed

@YvetteS,

Thanks. I just want to see who exactly is throwing this exception:

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

Please do "tail -f" on the most recent SAS Logon log and try to log in to the system. Send to me what will be added on the screen.

If you having connection issues to LDAP(s), most likely the certificate has been updated but not added to SAS Viya trusted store.

Here is what we get:

2018-09-13 11:25:21.962 ERROR 24451 --- [o-auto-1-exec-2] w.a.UsernamePasswordAuthenticationFilter : service [804d145fb06de916] An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: cawinc01.cyphersystems.com:3269; nested exception is javax.naming.CommunicationException: cawinc01.cyphersystems.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

@YvetteS,

Have you recently changed SSL certificate on your LDAP server? If yes, you have to add new or updated certificate to SAS VIya as described in document below:

Encryption in SAS® Viya® 3.4: Data in Motion -> Encrypt LDAP Connections -> Configure the LDAPS (Sec...

Our IT guy is saying that he is not aware of any changes and that the LDAP server is one of the domain controllers?

@YvetteS,

Something has been changed. This command will show you which certificate is currently in use on your LDAP server:

openssl s_client -showcerts -connect <LDAP_SERVER_NAME>:<LDAP_PORT> < /dev/null

Make sure that this certificate has been added to SAS Viya. 

OK thanks we'll give it a try.

@YvetteS,

Sure, keep me posted.

The certificate location is empty ...

[root@cawina06 default]# pwd
/opt/sas/viya/config/etc/consul.d/default
[root@cawina06 default]# ls
[root@cawina06 default]#

At this point we feel we have exhausted our ability to resolve the issue and are looking to engage Zencos.  Thanks for your support in helping us pinpoint the issue.

@YvetteS,

Here is correct link for SAS Viya 3.3: https://go.documentation.sas.com/?cdcId=calcdc&cdcVersion=3.3&docsetId=secref&docsetTarget=n1xdqv1se... . You can also open SAS Technical Support Track.