BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
BillJones
Calcite | Level 5

Hello everyone,

I'm trying to use proc http to query a https site.  I tried to setup the ssl certificate per the sas documentation (link is below).

link to sas documentation:

Base SAS(R) 9.3 Procedures Guide, Second Edition

I put the following code in my cfg file:

-JREOPTIONS=(

-Djavax.net.ssl.trustStore=C:\Users\Bill\SAS\CACERT\ca-bundle.crt

-Djavax.net.ssl.trustStorePassword=trustStorePassword

SAS opens up and runs fine.  Except when I execute the proc http to query the https site, I get the following error:

200   proc http

201      url="&url."

202      method='POST'

203      headerin=header

204      in=body

205      ct='application/x-www-form-urlencoded;charset=UTF-8'

206      headerout=hout

207      out=json;

208   run;

ERROR: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

NOTE: PROCEDURE HTTP used (Total process time):

      real time           0.29 seconds

      cpu time            0.03 seconds

Should I specify a different file in the cfg file?  I tried cacert.pem, but it didn't work. Also, I tried deleting the 2nd line of the jreoptions above (trustStorePassword), but I still got the same error message.  Note I'm running SAS 9.3 on Windows Professional.  Additionally, I believe the parameters (header, body, etc) , of my request are correct.  I can use cURL to query the same site without any issues.

Thank so much for any suggestions.

Regards,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions
FriedEgg
SAS Employee

This issue is due to your file containing multiple concatenated certificates.  You either need to extract each certificate to a separate file and then import or you can try using the following tool, which should be able to import the multiple certificates for you in one swoop.

java-keyutil - Java Key Store (JKS) Utility - Google Project Hosting

View solution in original post

15 REPLIES 15
jwillis
Quartz | Level 8

This might help you.    I don't have the answer to your question.  I'm monitoring your question so that I can learn from your question.

BillJones
Calcite | Level 5

Thanks for the link.  I'm trying to implement the solution proposed by Xia.  However, I can't seem to get the jreoption to work correctly.

FriedEgg
SAS Employee

,

You cannot set a certificate file as a trustStore, you need to add this certificate to a valid trustStore and then use this trustStore in your configuration.  You can build a trustStore, if you don't have one, using the keytools utility.

keytool -genkey -keyalg RSA -alias mycert

-jreoptions (-Dtkj.app.launch.config=!SASROOT/picklist

             -Dsas.app.class.path=/usr/local/SAS/SASVersionedJarRepository/9.2/eclipse/plugins/tkjava.jar

             -DPFS_TEMPLATE=!SASROOT/misc/base/qrpfstpt.xml

             -Djava.security.policy=!SASROOT/misc/base/sas.policy

             -Djava.security.auth.login.config=!SASROOT/misc/base/sas.login.config

             -Djava.class.path=/usr/local/SAS/SASVersionedJarRepository/9.2/eclipse/plugins/sas.launcher.jar

             -Djava.system.class.loader=com.sas.app.AppClassLoader

             -Dsas.ext.config=!SASROOT/misc/base/sas.java.ext.config

             -Djavax.net.ssl.trustStore=/home/&sysuserid/.keystore

             -Djavax.net.ssl.trustStorePassword=q1w2e3)

http://support.sas.com/documentation/cdl/en/proc/61895/HTML/default/viewer.htm#a003286920.htm

The Most Common Java Keytool Keystore Commands

BillJones
Calcite | Level 5

FreidEgg,

Thanks very much for your assistance.  I'll attempt to build a trustStore and will report back.

Thanks again,

Bill

BillJones
Calcite | Level 5

FriedEgg,

I was able to create the truststore using the syntax that you provided.  However, when I try to add cacerts.crt to the truststore, I get an error message, see below.  Is this the correct syntax?  Do I need to alter the cacerts.crt file?

Thanks!

Bill

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias mycert -file cacerts.crt -keystore keystore.jks

Enter keystore password:

Re-enter new password:

keytool error: java.lang.Exception: Input not an X.509 certificate

FriedEgg
SAS Employee

Try running just the following:

keytool -printcert -file cacerts.crt

or, get the openssl binary

https://www.openssl.org/related/binaries.html

   and try the following:

   openssl x509 -in cacerts.crt -text -noout

   or (if that doesn't work)

   openssl x509 -in cacerts.crt -inform der -text -noout

BillJones
Calcite | Level 5

I tried four different options.  The three you suggested as well as attempting to use a cacert.pem file instead of the cacerts.crt.  Unfortunately, none of them worked, see below.

Option 1:

C:\Program Files (x86)\Java\jre6\bin>keytool -printcert -file cacerts.crt

keytool error: java.lang.Exception: Failed to parse input

Option 2:

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacerts.crt -text -noout

unable to load certificate

5644:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:701:Expecting: TRUSTED CERTIFICATE

Option 3:

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacerts.crt -inform der -text -noout

unable to load certificate

5228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry

pto\asn1\asn1_lib.c:157:

Option 4 (cacert.pem file):

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacert.pem -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 903804111 (0x35def4cf)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Validity

            Not Before: Aug 22 16:41:51 1998 GMT

            Not After : Aug 22 16:41:51 2018 GMT

        Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:

                    91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:

                    d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:

                    04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:

                    8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:

                    43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:

                    97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:

                    af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:

                    3a:88:e7:bf:14:fd:e0:c7:b9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 CRL Distribution Points:

                Full Name:

                  DirName: C = US, O = Equifax, OU = Equifax Secure Certificate

Authority, CN = CRL1

            X509v3 Private Key Usage Period:

                Not After: Aug 22 16:41:51 2018 GMT

            X509v3 Key Usage:

                Certificate Sign, CRL Sign

            X509v3 Authority Key Identifier:

                keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D

4

            X509v3 Subject Key Identifier:

                48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

            X509v3 Basic Constraints:

                CA:TRUE

            1.2.840.113533.7.65.0:

                0...V3.0c....

    Signature Algorithm: sha1WithRSAEncryption

         58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:

         95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:

         6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:

         57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:

         a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:

         77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:

         65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:

         77:38

This appeared to work!  However, I got an error, when I tried to add the cacert.pem file to the truststore that I created.

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias mycert -file cacert.pem -keystore keystore.jks

Enter keystore password:

Re-enter new password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Since I was able to get further with the cacert.pem file, should I use it instead of cacerts.crt?

FriedEgg
SAS Employee

,

Open your crt file in a text editor and remove anything outside the

-----BEGIN CERTIFICATE-----

BLAH

-----END CERTIFICATE-----

And then try to load the file to the keytool again.

BillJones
Calcite | Level 5

Thanks so much for your time with this.


I looked in the file and cannot find the BEGIN CERTIFICATE part.  It appears to be encoded.   This is what I see when I open it in notepad:


cacerts.jpg

Should I open the file with another program?

FriedEgg
SAS Employee

At this point I would have to recommend that you consult with the source of the certificate you are trying to import to find out from them what format they have provided you.  Once you know that, you should be able to use openssl to convert it to a version compatible with the java keytool.

BillJones
Calcite | Level 5

Thanks for your advice.  I consulted with the website admin, and I need to use ca-bundle.crt found at the link immediately below.

http://curl.haxx.se/docs/caextract.html

I downloaded the file and removed any text before the first instance of ---BEGIN CERTIFICATE--.  I was able get some info on the certificate, but got an error when I tried to import into the keystore:

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in ca-bundle.crt -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 903804111 (0x35def4cf)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Validity

            Not Before: Aug 22 16:41:51 1998 GMT

            Not After : Aug 22 16:41:51 2018 GMT

        Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:

                    91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:

                    d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:

                    04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:

                    8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:

                    43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:

                    97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:

                    af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:

                    3a:88:e7:bf:14:fd:e0:c7:b9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 CRL Distribution Points:

                Full Name:

                  DirName: C = US, O = Equifax, OU = Equifax Secure Certificate

Authority, CN = CRL1

            X509v3 Private Key Usage Period:

                Not After: Aug 22 16:41:51 2018 GMT

            X509v3 Key Usage:

                Certificate Sign, CRL Sign

            X509v3 Authority Key Identifier:

                keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D

4

            X509v3 Subject Key Identifier:

                48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

            X509v3 Basic Constraints:

                CA:TRUE

            1.2.840.113533.7.65.0:

                0...V3.0c....

    Signature Algorithm: sha1WithRSAEncryption

         58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:

         95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:

         6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:

         57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:

         a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:

         77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:

         65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:

         77:38

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias sslcert -file ca-bundle.crt -keystore keystore.jks

Enter keystore password:

keytool error: java.lang.Exception: Input not an X.509 certificate

FriedEgg
SAS Employee

This issue is due to your file containing multiple concatenated certificates.  You either need to extract each certificate to a separate file and then import or you can try using the following tool, which should be able to import the multiple certificates for you in one swoop.

java-keyutil - Java Key Store (JKS) Utility - Google Project Hosting

BillJones
Calcite | Level 5

Thanks for the link!  There are several certificates in the ca-bundle.crt file, so I definitely want to import them all at once.

I tried using the keytool utility but it cannot find the crt file that I'm trying to import.  Note the file (ca-bundle.crt) is in the java bin directory (C:\Program Files (x86)\Java\jre6\bin).

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file ca-bundle.crt --import-jks-file trustStore.jks:changeit

The system cannot find the file specified.

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file C:\Program Files (x86)\Java\jre6\bin\ca-bundle.crt --import-jks-file trustStore.jks:changeit

The system cannot find the file specified.

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file "C:\Program Files (x86)\Java\jre6\bin\ca-bundle.crt" --import-jks-file trustStore.jks:changeit

The system cannot find the file specified.

Also, I tried to import the certifcates from a p7b file (read a post on stackoverflow link below), but ran into the same issue.  Java cannot find the file even though cachain.p7b is in the java bin directory.

openssl - How to add certificate chain to keystore? - Stack Overflow

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -file cachain.p7b -keystore keystore -storepass <password> -alias "mycert"

The system cannot find the file specified.

BillJones
Calcite | Level 5

FriedEgg,

Thanks very much for your help with this issue.  I used the java keyutil to add all the certificates in the ca-bundle.crt file to the keystore.  However, I had to modify the syntax on the keyutil page to get it to work.

CMD window:

Creates keystore and adds ca-bundle.crt

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --import --new-keystore keystore.jks --password changeit --import-pem-file ca-bundle.crt

Check to see if certificates are loaded:

C:\Program Files (x86)\Java\jre6\bin>keytool -list -keystore keystore.jks

In sas config file:

-JREOPTIONS=(

        -DPFS_TEMPLATE=!SASROOT\tkjava\sasmisc\qrpfstpt.xml

        -Djava.class.path=C:\PROGRA~1\SASHome\SASVER~1\eclipse\plugins\SASLAU~1.JAR

        -Djava.security.auth.login.config=!SASROOT\tkjava\sasmisc\sas.login.config

        -Djava.security.policy=!SASROOT\tkjava\sasmisc\sas.policy

        -Djava.system.class.loader=com.sas.app.AppClassLoader

        -Dlog4j.configuration=file:/C:/Program%20Files/SASHome/SASFoundation/9.3/tkjava/sasmisc/sas.log4j.properties

        -Dsas.app.class.path=C:\PROGRA~1\SASHome\SASVER~1\eclipse\plugins\tkjava.jar

        -Dsas.ext.config=!SASROOT\tkjava\sasmisc\sas.java.ext.config

        -Dsas.jre.libjvm=C:\PROGRA~2\Java\jre6\bin\client\jvm.dll

        -Dtkj.app.launch.config=C:\PROGRA~1\SASHome\SASVER~1\picklist

        -Djavax.net.ssl.trustStore=C:\PROGRA~2\Java\jre6\bin\keystore.jks

        -Djavax.net.ssl.trustStorePassword=changeit

        -Xms128m

        -Xmx128m

        )

Regards,

Bill

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

What is Bayesian Analysis?

Learn the difference between classical and Bayesian statistical approaches and see a few PROC examples to perform Bayesian analysis in this video.

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 15 replies
  • 7487 views
  • 8 likes
  • 3 in conversation