BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
RupaJ
Lapis Lazuli | Level 10

Hello,

 

I am kind of confused as to what certs are required for SSL configuration. So far I understood that we need the certs in PEM base 64 encoded format. One for root and one of CA. Is my understanding correct? Could anyone give me more details on what is actually required? 

 

Thanks

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
RupaJ
Lapis Lazuli | Level 10

Hello,

 

So SAS support resolved my issue. What had happened was I had imported one of PKCS7 cert file which actually messed up the trustedcerts.jks/trustedcerts.pem file in the /opt/sas/sashome/SASSecurityCertificateFramework/1.1/cacerts directory. Due to which even when I trying the import the right certs, I was getting an error. The reason is SDM actually saves all the certs that we import and so it was constantly throwing an error. SAS support mentioned it as a defect in SDM and are planning to correct it. So as a workaround, we removed the trustedcerts.jks and trustedcerts.pem file and removed all the unwanted/bad certs from the directory and re-imported the right certs again and that did the trick. Here are the command to check the certs that your IT provides. Would save a lot of time, 

 

keytool -printcert -file ca-chain.pem

openssl x509 -text -noout -in <your-server>.cer

openssl verify -CAfile ./ca-chain.pem <your-server>.cer

 

Thanks

View solution in original post

14 REPLIES 14
RupaJ
Lapis Lazuli | Level 10

Just some additional details. I got two certs from my IT guys (root.cer and local.cer). When I tried applying root.cer(It was in pem format), I get an error

 

BUILD FAILED
: Failed generate trustedcerts.jks: null

 

I also changed the root.cer to root.pem extension and still received the same error. 

RupaJ
Lapis Lazuli | Level 10

Sorry, I failed to mention that I am trying to configure SAS mid tier on RHEL 7 environment. 

PaulHomes
Rhodochrosite | Level 12

What method are you using to import your CA certs into the Trusted CA Bundle, and what commands are you using (if any)? Have you seen Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager in the Encryption in SAS® 9.4 documentation?

When SAS or third party software makes a TLS connection to a SAS server it needs to verify the certificate chain. If the server cert is signed by an intermediate CA and that intermediate CA's cert is signed by a root CA then the root CA and the intermediate CA certificates need to be found as trusted certs by the client. For SAS clients the Trusted CA Bundle is used. If you have site signed certs then you add your site CA certificate (and any site intermediate CA if used). If you have commercial CA signed certificates (e.g. DigiCert etc) where the commercial root CA cert is already present in the Trusted CA Bundle then you may only need to install any intermediate CA certificate (all the commercial CA certs I have used have had an intermediate CA).

 

I sometimes forget whether I have added CA certificates to the Trusted CA Bundle and so wrote down some notes on what I do to check in this blog post: Did I add that CA Certificate to the SAS Trusted CA Bundle? 

PaulHomes
Rhodochrosite | Level 12

I forgot to add that the openssl x509 command is very useful in reviewing/checking the PEM files before you add them to the SAS Trusted CA Bundle. Check out the Examples section of the OpenSSL x509 man page for some examples command lines.

 

BTW sometimes PEM files come with a text version embedded in them to make it easier for humans to read. I have found that some tools (can't remember if the SAS Deployment Manager is one of them) don't like this and so if I have problems I'll remove the additional text so that the PEM files only contain the  -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- block(s).

PaulHomes
Rhodochrosite | Level 12

I just checked my notes and saw I had written:

 

# Use SAS Deployment Manager to import our CA certificates into the trusted CA bundle.
# Can only add one cert at a time.
# Need to remove text descriptors from the .crt files before using SAS Deployment Manager (otherwise it complains about non-PEM encoding)

 

... this doesn't sound like the error you have having but I would look inside the PEM files to check they only have a -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- block and no text form of the certificate before/after the block.

RupaJ
Lapis Lazuli | Level 10

Hello @PaulHomes

 

Thank you for all the details. Yes I was using SDM to import the certificates and we also verified the certs using the below command

 

 openssl verify -CAfile ./ca-chain.pem sastest.cer
sastest.cer: OK

 

I checked the file and it just has "BEGIN CERTIFICATE....END CERTIFICATE and no other text.  But it just keeps throwing that error. I have raised this with SAS support now. 

JuanS_OCS
Amethyst | Level 16

Hello @RupaJ,

 

the Build failed for trustcerts.jks tells me there might be a problem with the trustedcerts.jks file itself. Could you check the user that is trying to update the certificate (should be the sasinst user) and the permissions on the file itself?

I can also imagine a corruption in this file (I have seen it several other times, from people trying to import the certificates with keytool commands, not SAS Deployment Manager) and in this case, only a restore from a previous version might help. My advise: very careful with that.

 

PS. for other people coming to this thread, please see a guide on Paul's comments and this link https://communities.sas.com/t5/Administration-and-Deployment/HTTPS-ERROR/td-p/340502

 

RupaJ
Lapis Lazuli | Level 10

Hello @JuanS_OCS

 

Thanks for the response. I am not able to locate the trustcerts.jks file on the server I am installing. I don't see this file even on my production server where SAS 9.4 M3 is up and running. 

 

I am using sasinstaller user to launch the SDM. 

 

 

JuanS_OCS
Amethyst | Level 16

"trustedcerts.jks"

 

If everything else fails, and while you wait for the response by SAS Technical Support, you can always try and use this Java-based tool: http://support.sas.com/kb/57/370.html

Very recommended 🙂 My life saver for SSL certificates in SAS.

RupaJ
Lapis Lazuli | Level 10

Ahh, thanks! So I tried the tool and checked the "trustedcerts.jks" keystore and I got "connection successful".  So looks like the keystore is working. Not sure why I am getting the error while importing them. 

JuanS_OCS
Amethyst | Level 16

You can import the certs with this tool too.

 

I would contact SAS Technical Support, there might be a hotfix available for that problem.

PaulHomes
Rhodochrosite | Level 12

Have you had a look at the SAS Deployment Manager log files to see if there are any additional error messages or clues? I just checked /home/sas/.SASAppData/SASDeploymentWizard/*.log and can see when I added my site CA certificates. Perhaps your log files have some helpful error messages?

RupaJ
Lapis Lazuli | Level 10

Hello @PaulHomes,

 

Thanks! So I reached out to SAS support and they are suspecting an issue with trustedcerts.pem file. We launched the SDM with -loglevel 2 option and gathered more logs (including the SDM logs which I wasn't aware until then). I shall post the solution once it's resolved. 

 

  

RupaJ
Lapis Lazuli | Level 10

Hello,

 

So SAS support resolved my issue. What had happened was I had imported one of PKCS7 cert file which actually messed up the trustedcerts.jks/trustedcerts.pem file in the /opt/sas/sashome/SASSecurityCertificateFramework/1.1/cacerts directory. Due to which even when I trying the import the right certs, I was getting an error. The reason is SDM actually saves all the certs that we import and so it was constantly throwing an error. SAS support mentioned it as a defect in SDM and are planning to correct it. So as a workaround, we removed the trustedcerts.jks and trustedcerts.pem file and removed all the unwanted/bad certs from the directory and re-imported the right certs again and that did the trick. Here are the command to check the certs that your IT provides. Would save a lot of time, 

 

keytool -printcert -file ca-chain.pem

openssl x509 -text -noout -in <your-server>.cer

openssl verify -CAfile ./ca-chain.pem <your-server>.cer

 

Thanks

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 14 replies
  • 6419 views
  • 8 likes
  • 3 in conversation