SAS Viya offers a variety of different scenarios to secure your deployment using certificates. Depending on your requirements you can select the scenario that best fits your needs. Many great blogs have been written about this topic. If you are interested in reading about this topic, please have a look at these blogs:
In this blog I will write about my experiences with deploying SAS Viya using a certificate that is signed by a Public Certificate Authority (CA). If you are using self-signed certificates, there is not that much that can go wrong. However, using a certificate that is signed by a public CA can complicate matters because this usually involves intermediate certificates that are necessary to complete the certificate chain.
An application that serves a certificate is responsible for sending the entire certificate chain. Meaning that it must send the server certificate and all intermediate certificates necessary to complete that chain. A problem that occurs when the chain is not complete, is that you get errors like x509: certificate signed by unknown authority.
When I deploy SAS Viya, I typically tend to verify my certificates by using my browser and opening an application like SAS Environment Manager. Problem with this method is that browsers tend to complete that certificate chain by using their own embedded certificate store. An incomplete chain will then show up as being complete in the browser. Hmm not a soundproof way to validate your certificates. But how can you make sure that the chain is valid? Before answering that question let’s first look at what the certificate chain of trust is.
When you visit an application like SAS Environment Manager via a secure connection, it will send the certificate back to the client. For the client to be able to validate that this is a trusted certificate it will try to prove that this certificate is from a trusted source by validating each certificate that is part of the chain of trust until the client finds the corresponding root certificate in its certificate trust store. If the client is unable to find the corresponding root certificate in its trust store, then the certificate will not be trusted.
We established earlier on in this blog that using your browser as a client to check if the certificate chain is complete is not a soundproof method. Your browser will try to complete the chain without you knowing it. But how do I check if my certificate chain is complete you may as?
When you deployed SAS Viya using a certificate that is signed by a public CA you can check to see whether the chain is complete by doing one of the following:
If in both cases, you end up with an error message like x509: certificate signed by unknown authority you know for sure that your certificate chain is incomplete. You may have missed a necessary intermediate certificate. Let’s see how we can solve that!
When you generate a certificate signed by a public CA like DigiCert, they will provide you with a couple of files
To complete the chain, you need to provide both the server certificate and the intermediate certificate to your Viya deployment. Luckily this is easy to accomplish. You can just concatenate the server certificate and the intermediate certificate into one file. However, you need to make sure that it is in the following order:
Once you have concatenated the contents of both files into a new file then you can just follow the steps as described here. Make sure to point to the newly created file in the overlay and then deploy Viya.
In this article I’ve written about the certificate chain of trust. And how that chain becomes relevant once you are using certificates that are signed by a Public Certificate Authority in your Viya deployment. I wrote about your browser automatically completing this chain for you, and what signs to look for that you haven’t provided all the necessary certificates to complete that chain. Hopefully by reading this blog you will know what to do once you run into these issues!
Thank you for reading!
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.