Hi,
I have installed VA 7.1 SMP, the mid tier is configured to use HTTPS, we use a certificate signed by Thwate. I am having a problem when trying to start the LASR Server, I get the following error:
ERROR: Unable to register LASR server with authentication service.
I have setup the SSLCALISTLOC option for the SAS Workspace to correctly point to the pem certificate used by the SAS Web Server but I end up with the same error, I have also created a certficate with all the certificates in the CA path and again I get the same error.
SAS Tech Support have suggested to change the protocol to HTTP for just the SASLASRAuthorization endpoint, which I have done. I have changed the LASR Auth service definition in the Metadata and also added a RewriteRule to the Web Server configuration so that all services but SASLASRAuthorization are redirected to HTTPS if called with HTTP.
This way I can start the LASR Server from SAS SAS BASE or EG, but I get a different error from within the web applications, related to spring CAS.
2014-10-27 15:38:09,224 [tomcat-http--25] ERROR org.jasig.cas.CentralAuthenticationServiceImpl - ServiceTicket [ST-37-xdZfcI6wAdiJF0jvL9bl-cas] with service [http://hostname/SASLASRAuthorization/rest/servers/details does not match supplied service [https://hostname/SASLASRAuthorization/rest/servers/details]
2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - http://hostname/SASLASRAuthorization/rest/servers/details?ticket=ST-37-xdZfcI6wAdiJF0jvL9bl-cas
2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
With versions 6.x of VA I never had this problem, all was working with just the standard certificate.
Has anyone any idea? I am stuck.
Thanks, Frances
Hi
My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.
To confirm the correct location of the certicates bundle, on your system type
[root@srvname certs]# openssl version -d
OPENSSLDIR: "/etc/pki/tls"
[root@srvname certs]# pwd
/etc/pki/tls/certs
[root@srvname certs]# ls -l
total 1768
-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt
-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt
....
then in SAS cfg file
/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg
add the following line
-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt
and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).
SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.
Hope this helps, regards
FYI, this was fixed. Thanks
Hi Francesco,
how did you solve this problem?
I would be interested for same activity
Thank's
Sergio
Please let us know how you fixed the issue.
Thanks
Hi
My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.
To confirm the correct location of the certicates bundle, on your system type
[root@srvname certs]# openssl version -d
OPENSSLDIR: "/etc/pki/tls"
[root@srvname certs]# pwd
/etc/pki/tls/certs
[root@srvname certs]# ls -l
total 1768
-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt
-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt
....
then in SAS cfg file
/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg
add the following line
-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt
and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).
SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.
Hope this helps, regards
Hi francesco,
I tried your suggestions but I am still not able to start my lasr server.
ERROR: OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at
line 4827, the error message is "error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
ERROR: Encryption run-time execution error
ERROR: Unable to register LASR server with authentication service.
NOTE: The SAS System stopped processing this step because of errors.
NOTE: PROCEDURE LASR used (Total process time):
real time 10.77 seconds
cpu time 0.04 seconds
Any idea on this error. My sasv9_local.cfg file is point towards /etc/pki/tls/certs/ca-bundle.trust.crt .
I infact tried setting SSLCALISTLOC variable to all sort of cert available like .pem, .csr, .crt etc. but nothing worked for me.
I had exactly the same problem and I am using a self signed certificate. The problem was resolved by pointing the -sslcalistloc option to the PEM encoded certificate that is being used by the SAS Web Server. After doing that, it all worked perfectly.
Hi, yes this is the way described in the SAS Documentation and it works just fine, my answer is applicable for certificates signed by an external CA.
Regards
Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!
See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.
Find more tutorials on the SAS Users YouTube channel.