Hello,
we have Base SAS 9.4 M7 installed on a RHEL server i am trying to encrypt the Connect/Spawner with SSL below is the command i am using to start the SAS Spawner
ETLsasSpawnerCommand="${ETLsasRoot}/utilities/bin/cntspawn -service sasspawn -shell -netencryptalgorithm ssl -sslcalistloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/trustcert.pem -sslcertloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.pem -sslpvtkeyloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.ic.ing.net.key -sslpvtkeypass {SAS004}0568374BFFFB1E18393DBEFABB6A4FA74E67977AA6C4B149"
i tried a private key which is not password protected but then i get error like "ERROR: SSL Error: Cannot use private key file; please check your password."
I passed a password without SAS encoding then also i get error "ERROR: SSL Error: Cannot use private key file; please check your password."
I tried encoding password with {SAS001} then also i get error "ERROR: SSL Error: Cannot use private key file; please check your password."
when we passed password with {SAS005} encoding then it gives below error
SAH201001I Server SAS Connect Spawner, State, starting
SAS Connect Spawner version 9.40 (build date: Feb 1 2021)
Copyright (C) 2011-2013, SAS Institute Inc., Cary, NC, USA. All Rights Reserved
ERROR: The encryption provider libraries cannot be found.
ERROR: Unable to load extension: (tkersa2)
ERROR: SSL Error: Cannot use private key file; please check your password.
i have also defined the path to tkersa2 library in the config file, but didn't helped
can someone please help to solve this issue, we will prefer to not use any password for the private key
1) The client log should state that it is using SSL for encryption.
2) For UNIX/Linux/Windows TCPIP is always used. For MVS, it may use XMS (shared memory) or TCPIP.
It could be that the problem is your private key file, not the password. Make sure your private key file is a PEM file format, i.e., it is human readable and starts with something like "-----BEGIN RSA PRIVATE KEY-----".
You can test to see if the certificate, private key file, and password are correct using openssl command with the s_server subcommand:
openssl s_server -debug -www -cert /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.pem -key /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.ic.ing.net.key -pass pass:<password> -CAfile /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/trustcert.pem
If the password is invalid, you will see
unable to load server certificate private key file
140521628231496:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535:
140521628231496:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
140521628231496:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
140521628231496:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:
Many Thanks @doug_sas for the reply, indeed the issue was with the private key file, the Spawner was successfully stated with a different file.
But now i want to connect my windows custom client to the Spawner running on the RHEL Server.
we use the scripted method (tcpunix.scr) to sign on to the spawner below code is used to invoke the sign on
%include ".\address.sas";
options netencryptalgorithm=ssl;
options remote=TOOLremo;
filename rlink ".\tcpunix.scr";
- the address file contains the server name and port name
- below is the code of tcpunix.scr file which simply run a ksh script on the server to launch a SAS session on the spawner
______________________________________________________________________________________________________________________
type 'sas -dmr -noterminal netencryptalgorithm=ssl -nosyntaxcheck' LF;
waitfor 'SESSION ESTABLISHED', 90 seconds : nosas;
log 'NOTE: SAS/CONNECT conversation established.';
stop;
unxspawn:
type "ksh /ING/DWH/ETL/common/tools/sas/sasetlmonitor &TOOLShoNam &TOOL_CLIusr" LF;
waitfor 'SESSION ESTABLISHED', 90 seconds : nosas;
stop;
___________________________________________________________________________________________________________
- Below is the code of the KSH script (sasetlmonitor) which is called by the tcpunix.scr file
${ETLsasRoot}/sas -dmr \
-altlog ${altlog} \
-work ${work} \
-config ${config} \
-sslcertloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/cert.pem \
-sslpvtkeyloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/privkey.pem \
-device grlink \
-noterminal \
-nonews \
-no\$syntaxcheck \
-dmsbatch
_______________________________
i have alraedy imported and trusted the certificate on the windows client server, but when i try to login to spawner with client we get below error on rhel logs
Running as user dwhmgr on hostname clrv0000214910.ic.ing.net
ERROR: A communication subsystem environment initialization request failure
ERROR: has occurred.
ERROR: Network request failed (rc 0x00007F971B5324B0) - SSL Error:
ERROR: Certificate was not found.
NOTE: SAS Institute Inc., SAS Campus Drive, Cary, NC USA 27513-2414
NOTE: The SAS System used:
NOTE: real time 0.02 seconds
NOTE: cpu time 0.03 seconds
NOTE:
NOTE: SAH239999I CONNECT, State, stopped
Can you please help me debug the issue, if i am missing somewhere to pass the certificate file
many thanks in advance for your time 🙂
Seems to me that your script is going to run 'sas -dmr -noterminal netencryptalgorithm=ssl -nosyntaxcheck' and not your KSH script. Since there are no SSL options, the connection is going to fail as you found out.
Look at https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.3/connref/p0ze0vzqoyxy34n1sa0rpk8qd5n5.htm for more information about signon scripts.
Thanks, we were able to login to SAS Spawner with our client.
i have one silly question, sorry for that how, is there a way to confirm the Connection is Encrypted with SSL because on client server i checked it is showing as SAS is using TCP port 14555, so it means SAS client is connected to Spawner on TCP port 14555 with SSL Encryption ?
- below is the Process which runs on Server when client session is successfully Stablished with Spawner
we have not Defined COMAMID = TCP any where, so is this be default ?
1) The client log should state that it is using SSL for encryption.
2) For UNIX/Linux/Windows TCPIP is always used. For MVS, it may use XMS (shared memory) or TCPIP.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.