Help using Base SAS procedures

proc http & ssl

Accepted Solution Solved
Reply
Frequent Contributor
Posts: 92
Accepted Solution

proc http & ssl

Hello everyone,

I'm trying to use proc http to query a https site.  I tried to setup the ssl certificate per the sas documentation (link is below).

link to sas documentation:

Base SAS(R) 9.3 Procedures Guide, Second Edition

I put the following code in my cfg file:

-JREOPTIONS=(

-Djavax.net.ssl.trustStore=C:\Users\Bill\SAS\CACERT\ca-bundle.crt

-Djavax.net.ssl.trustStorePassword=trustStorePassword

SAS opens up and runs fine.  Except when I execute the proc http to query the https site, I get the following error:

200   proc http

201      url="&url."

202      method='POST'

203      headerin=header

204      in=body

205      ct='application/x-www-form-urlencoded;charset=UTF-8'

206      headerout=hout

207      out=json;

208   run;

ERROR: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

NOTE: PROCEDURE HTTP used (Total process time):

      real time           0.29 seconds

      cpu time            0.03 seconds

Should I specify a different file in the cfg file?  I tried cacert.pem, but it didn't work. Also, I tried deleting the 2nd line of the jreoptions above (trustStorePassword), but I still got the same error message.  Note I'm running SAS 9.3 on Windows Professional.  Additionally, I believe the parameters (header, body, etc) , of my request are correct.  I can use cURL to query the same site without any issues.

Thank so much for any suggestions.

Regards,

Bill


Accepted Solutions
Solution
‎05-14-2015 10:43 AM
Trusted Advisor
Posts: 1,300

Re: proc http & ssl

This issue is due to your file containing multiple concatenated certificates.  You either need to extract each certificate to a separate file and then import or you can try using the following tool, which should be able to import the multiple certificates for you in one swoop.

java-keyutil - Java Key Store (JKS) Utility - Google Project Hosting

View solution in original post


All Replies
Regular Contributor
Posts: 217

Re: proc http & ssl

This might help you.    I don't have the answer to your question.  I'm monitoring your question so that I can learn from your question.

Frequent Contributor
Posts: 92

Re: proc http & ssl

Thanks for the link.  I'm trying to implement the solution proposed by Xia.  However, I can't seem to get the jreoption to work correctly.

Trusted Advisor
Posts: 1,300

Re: proc http & ssl

,

You cannot set a certificate file as a trustStore, you need to add this certificate to a valid trustStore and then use this trustStore in your configuration.  You can build a trustStore, if you don't have one, using the keytools utility.

keytool -genkey -keyalg RSA -alias mycert

-jreoptions (-Dtkj.app.launch.config=!SASROOT/picklist

             -Dsas.app.class.path=/usr/local/SAS/SASVersionedJarRepository/9.2/eclipse/plugins/tkjava.jar

             -DPFS_TEMPLATE=!SASROOT/misc/base/qrpfstpt.xml

             -Djava.security.policy=!SASROOT/misc/base/sas.policy

             -Djava.security.auth.login.config=!SASROOT/misc/base/sas.login.config

             -Djava.class.path=/usr/local/SAS/SASVersionedJarRepository/9.2/eclipse/plugins/sas.launcher.jar

             -Djava.system.class.loader=com.sas.app.AppClassLoader

             -Dsas.ext.config=!SASROOT/misc/base/sas.java.ext.config

             -Djavax.net.ssl.trustStore=/home/&sysuserid/.keystore

             -Djavax.net.ssl.trustStorePassword=q1w2e3)

http://support.sas.com/documentation/cdl/en/proc/61895/HTML/default/viewer.htm#a003286920.htm

The Most Common Java Keytool Keystore Commands

Frequent Contributor
Posts: 92

Re: proc http & ssl

FreidEgg,

Thanks very much for your assistance.  I'll attempt to build a trustStore and will report back.

Thanks again,

Bill

Frequent Contributor
Posts: 92

Re: proc http & ssl

FriedEgg,

I was able to create the truststore using the syntax that you provided.  However, when I try to add cacerts.crt to the truststore, I get an error message, see below.  Is this the correct syntax?  Do I need to alter the cacerts.crt file?

Thanks!

Bill

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias mycert -file cacerts.crt -keystore keystore.jks

Enter keystore password:

Re-enter new password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Trusted Advisor
Posts: 1,300

Re: proc http & ssl

Try running just the following:

keytool -printcert -file cacerts.crt

or, get the openssl binary

https://www.openssl.org/related/binaries.html

   and try the following:

   openssl x509 -in cacerts.crt -text -noout

   or (if that doesn't work)

   openssl x509 -in cacerts.crt -inform der -text -noout

Frequent Contributor
Posts: 92

Re: proc http & ssl

I tried four different options.  The three you suggested as well as attempting to use a cacert.pem file instead of the cacerts.crt.  Unfortunately, none of them worked, see below.

Option 1:

C:\Program Files (x86)\Java\jre6\bin>keytool -printcert -file cacerts.crt

keytool error: java.lang.Exception: Failed to parse input

Option 2:

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacerts.crt -text -noout

unable to load certificate

5644:error:0906D06CSmiley TongueEM routinesSmiley TongueEM_read_bio:no start line:.\crypto\pem\pem_lib

.c:701:Expecting: TRUSTED CERTIFICATE

Option 3:

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacerts.crt -inform der -text -noout

unable to load certificate

5228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry

pto\asn1\asn1_lib.c:157:

Option 4 (cacert.pem file):

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacert.pem -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 903804111 (0x35def4cf)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Validity

            Not Before: Aug 22 16:41:51 1998 GMT

            Not After : Aug 22 16:41:51 2018 GMT

        Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:

                    91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:

                    d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:

                    04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:

                    8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:

                    43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:

                    97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:

                    af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:

                    3a:88:e7:bf:14:fd:e0:c7:b9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 CRL Distribution Points:

                Full Name:

                  DirName: C = US, O = Equifax, OU = Equifax Secure Certificate

Authority, CN = CRL1

            X509v3 Private Key Usage Period:

                Not After: Aug 22 16:41:51 2018 GMT

            X509v3 Key Usage:

                Certificate Sign, CRL Sign

            X509v3 Authority Key Identifier:

                keyid:48:E6:68:F9:2BSmiley Very Happy2:B2:95Smiley Very Happy7:47Smiley Very Happy8:23:20:10:4F:33:98:90:9FSmiley Very Happy

4

            X509v3 Subject Key Identifier:

                48:E6:68:F9:2BSmiley Very Happy2:B2:95Smiley Very Happy7:47Smiley Very Happy8:23:20:10:4F:33:98:90:9FSmiley Very Happy4

            X509v3 Basic Constraints:

                CA:TRUE

            1.2.840.113533.7.65.0:

                0...V3.0c....

    Signature Algorithm: sha1WithRSAEncryption

         58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:

         95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:

         6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:

         57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:

         a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:

         77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:

         65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:

         77:38

This appeared to work!  However, I got an error, when I tried to add the cacert.pem file to the truststore that I created.

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias mycert -file cacert.pem -keystore keystore.jks

Enter keystore password:

Re-enter new password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Since I was able to get further with the cacert.pem file, should I use it instead of cacerts.crt?

Trusted Advisor
Posts: 1,300

Re: proc http & ssl

,

Open your crt file in a text editor and remove anything outside the

-----BEGIN CERTIFICATE-----

BLAH

-----END CERTIFICATE-----

And then try to load the file to the keytool again.

Frequent Contributor
Posts: 92

Re: proc http & ssl

Thanks so much for your time with this.


I looked in the file and cannot find the BEGIN CERTIFICATE part.  It appears to be encoded.   This is what I see when I open it in notepad:


cacerts.jpg

Should I open the file with another program?

Trusted Advisor
Posts: 1,300

Re: proc http & ssl

At this point I would have to recommend that you consult with the source of the certificate you are trying to import to find out from them what format they have provided you.  Once you know that, you should be able to use openssl to convert it to a version compatible with the java keytool.

Frequent Contributor
Posts: 92

Re: proc http & ssl

Thanks for your advice.  I consulted with the website admin, and I need to use ca-bundle.crt found at the link immediately below.

http://curl.haxx.se/docs/caextract.html

I downloaded the file and removed any text before the first instance of ---BEGIN CERTIFICATE--.  I was able get some info on the certificate, but got an error when I tried to import into the keystore:

C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in ca-bundle.crt -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 903804111 (0x35def4cf)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Validity

            Not Before: Aug 22 16:41:51 1998 GMT

            Not After : Aug 22 16:41:51 2018 GMT

        Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:

                    91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:

                    d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:

                    04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:

                    8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:

                    43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:

                    97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:

                    af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:

                    3a:88:e7:bf:14:fd:e0:c7:b9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 CRL Distribution Points:

                Full Name:

                  DirName: C = US, O = Equifax, OU = Equifax Secure Certificate

Authority, CN = CRL1

            X509v3 Private Key Usage Period:

                Not After: Aug 22 16:41:51 2018 GMT

            X509v3 Key Usage:

                Certificate Sign, CRL Sign

            X509v3 Authority Key Identifier:

                keyid:48:E6:68:F9:2BSmiley Very Happy2:B2:95Smiley Very Happy7:47Smiley Very Happy8:23:20:10:4F:33:98:90:9FSmiley Very Happy

4

            X509v3 Subject Key Identifier:

                48:E6:68:F9:2BSmiley Very Happy2:B2:95Smiley Very Happy7:47Smiley Very Happy8:23:20:10:4F:33:98:90:9FSmiley Very Happy4

            X509v3 Basic Constraints:

                CA:TRUE

            1.2.840.113533.7.65.0:

                0...V3.0c....

    Signature Algorithm: sha1WithRSAEncryption

         58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:

         95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:

         6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:

         57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:

         a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:

         77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:

         65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:

         77:38

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias sslcert -file ca-bundle.crt -keystore keystore.jks

Enter keystore password:

keytool error: java.lang.Exception: Input not an X.509 certificate

Solution
‎05-14-2015 10:43 AM
Trusted Advisor
Posts: 1,300

Re: proc http & ssl

This issue is due to your file containing multiple concatenated certificates.  You either need to extract each certificate to a separate file and then import or you can try using the following tool, which should be able to import the multiple certificates for you in one swoop.

java-keyutil - Java Key Store (JKS) Utility - Google Project Hosting

Frequent Contributor
Posts: 92

Re: proc http & ssl

Thanks for the link!  There are several certificates in the ca-bundle.crt file, so I definitely want to import them all at once.

I tried using the keytool utility but it cannot find the crt file that I'm trying to import.  Note the file (ca-bundle.crt) is in the java bin directory (C:\Program Files (x86)\Java\jre6\bin).

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file ca-bundle.crt --import-jks-file trustStore.jks:changeit

The system cannot find the file specified.

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file C:\Program Files (x86)\Java\jre6\bin\ca-bundle.crt --import-jks-file trustStore.jks:changeit

The system cannot find the file specified.

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file "C:\Program Files (x86)\Java\jre6\bin\ca-bundle.crt" --import-jks-file trustStore.jks:changeit

The system cannot find the file specified.

Also, I tried to import the certifcates from a p7b file (read a post on stackoverflow link below), but ran into the same issue.  Java cannot find the file even though cachain.p7b is in the java bin directory.

openssl - How to add certificate chain to keystore? - Stack Overflow

C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -file cachain.p7b -keystore keystore -storepass <password> -alias "mycert"

The system cannot find the file specified.

Frequent Contributor
Posts: 92

Re: proc http & ssl

FriedEgg,

Thanks very much for your help with this issue.  I used the java keyutil to add all the certificates in the ca-bundle.crt file to the keystore.  However, I had to modify the syntax on the keyutil page to get it to work.

CMD window:

Creates keystore and adds ca-bundle.crt

C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --import --new-keystore keystore.jks --password changeit --import-pem-file ca-bundle.crt

Check to see if certificates are loaded:

C:\Program Files (x86)\Java\jre6\bin>keytool -list -keystore keystore.jks

In sas config file:

-JREOPTIONS=(

        -DPFS_TEMPLATE=!SASROOT\tkjava\sasmisc\qrpfstpt.xml

        -Djava.class.path=C:\PROGRA~1\SASHome\SASVER~1\eclipse\plugins\SASLAU~1.JAR

        -Djava.security.auth.login.config=!SASROOT\tkjava\sasmisc\sas.login.config

        -Djava.security.policy=!SASROOT\tkjava\sasmisc\sas.policy

        -Djava.system.class.loader=com.sas.app.AppClassLoader

        -Dlog4j.configuration=file:/C:/Program%20Files/SASHome/SASFoundation/9.3/tkjava/sasmisc/sas.log4j.properties

        -Dsas.app.class.path=C:\PROGRA~1\SASHome\SASVER~1\eclipse\plugins\tkjava.jar

        -Dsas.ext.config=!SASROOT\tkjava\sasmisc\sas.java.ext.config

        -Dsas.jre.libjvm=C:\PROGRA~2\Java\jre6\bin\client\jvm.dll

        -Dtkj.app.launch.config=C:\PROGRA~1\SASHome\SASVER~1\picklist

        -Djavax.net.ssl.trustStore=C:\PROGRA~2\Java\jre6\bin\keystore.jks

        -Djavax.net.ssl.trustStorePassword=changeit

        -Xms128m

        -Xmx128m

        )

Regards,

Bill

☑ This topic is SOLVED.

Need further help from the community? Please ask a new question.

Discussion stats
  • 15 replies
  • 2444 views
  • 8 likes
  • 3 in conversation