BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
lalit_Jalkhare
Fluorite | Level 6

Hello,

we have Base SAS 9.4 M7 installed on a RHEL server i am trying to encrypt the Connect/Spawner with SSL below is the command i am using to start the SAS Spawner

ETLsasSpawnerCommand="${ETLsasRoot}/utilities/bin/cntspawn -service sasspawn -shell -netencryptalgorithm ssl -sslcalistloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/trustcert.pem -sslcertloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.pem -sslpvtkeyloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.ic.ing.net.key -sslpvtkeypass {SAS004}0568374BFFFB1E18393DBEFABB6A4FA74E67977AA6C4B149"

 

i tried a private key which is not password protected but then i get error like "ERROR: SSL Error: Cannot use private key file; please check your password."

I passed a password without SAS encoding then also i get error  "ERROR: SSL Error: Cannot use private key file; please check your password."

I tried encoding password with {SAS001} then also i get error  "ERROR: SSL Error: Cannot use private key file; please check your password."

 

when we passed password with {SAS005} encoding then it gives below error 

SAH201001I Server SAS Connect Spawner, State, starting

SAS Connect Spawner version 9.40 (build date: Feb 1 2021)
Copyright (C) 2011-2013, SAS Institute Inc., Cary, NC, USA. All Rights Reserved
ERROR: The encryption provider libraries cannot be found.
ERROR: Unable to load extension: (tkersa2)
ERROR: SSL Error: Cannot use private key file; please check your password.

 

i have also defined the path to tkersa2 library in the config file, but didn't helped

can someone please help to solve this issue, we will prefer to not use any password for the private key

1 ACCEPTED SOLUTION

Accepted Solutions
doug_sas
SAS Employee

1) The client log should state that it is using SSL for encryption.
2) For UNIX/Linux/Windows TCPIP is always used. For MVS, it may use XMS (shared memory) or TCPIP.

View solution in original post

5 REPLIES 5
doug_sas
SAS Employee

It could be that the problem is your private key file, not the password. Make sure your private key file is a PEM file format, i.e., it is human readable and starts with something like "-----BEGIN RSA PRIVATE KEY-----".

 

You can test to see if the certificate, private key file, and password are correct using openssl command with the s_server subcommand:

openssl s_server -debug -www -cert /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.pem -key /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/clrv0000214910.ic.ing.net.key -pass pass:<password> -CAfile /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/trustcert.pem

If the password is invalid, you will see
unable to load server certificate private key file
140521628231496:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535:
140521628231496:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
140521628231496:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
140521628231496:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

lalit_Jalkhare
Fluorite | Level 6

Many Thanks @doug_sas  for the reply, indeed the issue was with the private key file, the Spawner was  successfully stated with a different file.

 

But now i want to connect my windows custom client to the Spawner running on the RHEL Server.

we use the scripted method (tcpunix.scr) to sign on to the spawner below code is used to invoke the sign on 

 

%include ".\address.sas";
options netencryptalgorithm=ssl;
options remote=TOOLremo;
filename rlink ".\tcpunix.scr";

 

- the address file contains the server name and port name

- below is the code of tcpunix.scr file which simply run a ksh script on the server to launch a SAS session on the spawner

______________________________________________________________________________________________________________________

type 'sas -dmr -noterminal netencryptalgorithm=ssl -nosyntaxcheck' LF;
waitfor 'SESSION ESTABLISHED', 90 seconds : nosas;

log 'NOTE: SAS/CONNECT conversation established.';
stop;

unxspawn:
type "ksh /ING/DWH/ETL/common/tools/sas/sasetlmonitor &TOOLShoNam &TOOL_CLIusr" LF;
waitfor 'SESSION ESTABLISHED', 90 seconds : nosas;
stop;

___________________________________________________________________________________________________________

 

- Below is the code of the KSH script (sasetlmonitor) which is called by the tcpunix.scr file

 

${ETLsasRoot}/sas -dmr \
-altlog ${altlog} \
-work ${work} \
-config ${config} \
-sslcertloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/cert.pem \
-sslpvtkeyloc /opt/DWH/ETL/common/tools/misc/spawn/bin/keystore/store/privkey.pem \
-device grlink \
-noterminal \
-nonews \
-no\$syntaxcheck \
-dmsbatch

_______________________________

 

i have alraedy imported and trusted the certificate on the windows client server, but when i try to login to spawner with client we get below error on rhel logs

 

Running as user dwhmgr on hostname clrv0000214910.ic.ing.net
ERROR: A communication subsystem environment initialization request failure
ERROR: has occurred.
ERROR: Network request failed (rc 0x00007F971B5324B0) - SSL Error:
ERROR: Certificate was not found.
NOTE: SAS Institute Inc., SAS Campus Drive, Cary, NC USA 27513-2414
NOTE: The SAS System used:
NOTE: real time 0.02 seconds
NOTE: cpu time 0.03 seconds
NOTE:
NOTE: SAH239999I CONNECT, State, stopped

 

 

Can you please help me debug the issue, if i am missing somewhere to pass the certificate file

many thanks in advance for your time 🙂

doug_sas
SAS Employee

Seems to me that your script is going to run  'sas -dmr -noterminal netencryptalgorithm=ssl -nosyntaxcheck' and not your KSH script. Since there are no SSL options, the connection is going to fail as you found out.

Look at https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.3/connref/p0ze0vzqoyxy34n1sa0rpk8qd5n5.htm for more information about signon scripts.

lalit_Jalkhare
Fluorite | Level 6

Thanks, we were able to login to SAS Spawner with our client.

i have one silly question, sorry for that how, is there a way to confirm the Connection is Encrypted with SSL because on client server i checked it is showing as SAS is using TCP port 14555, so it means SAS client is connected to Spawner on TCP port 14555 with SSL Encryption ?

 

- below is the Process which runs on Server when client session is successfully Stablished with Spawner

lalit_Jalkhare_0-1689770401988.png

we have not Defined COMAMID = TCP any where, so is this be default ?

doug_sas
SAS Employee

1) The client log should state that it is using SSL for encryption.
2) For UNIX/Linux/Windows TCPIP is always used. For MVS, it may use XMS (shared memory) or TCPIP.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 5 replies
  • 1864 views
  • 0 likes
  • 2 in conversation