BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
franz
Fluorite | Level 6

Hi,

I have installed VA 7.1 SMP, the mid tier is configured to use HTTPS, we use a certificate signed by Thwate. I am having a problem when trying to start the LASR Server, I get the following error:

ERROR: Unable to register LASR server with authentication service.

I have setup the SSLCALISTLOC option for the SAS Workspace to correctly point to the pem certificate used by the SAS Web Server but I end up with the same error, I have also created a certficate with all the certificates in the CA path and again I get the same error.

SAS Tech Support have suggested to change the protocol to HTTP for just the SASLASRAuthorization endpoint, which I have done. I have changed the LASR Auth service definition in the Metadata and also added a RewriteRule to the Web Server configuration so that all services but SASLASRAuthorization are redirected to HTTPS if called with HTTP.

This way I can start the LASR Server from SAS SAS BASE or EG, but I get a different error from within the web applications, related to spring CAS.

2014-10-27 15:38:09,224 [tomcat-http--25] ERROR org.jasig.cas.CentralAuthenticationServiceImpl - ServiceTicket [ST-37-xdZfcI6wAdiJF0jvL9bl-cas] with service [http://hostname/SASLASRAuthorization/rest/servers/details does not match supplied service [https://hostname/SASLASRAuthorization/rest/servers/details]

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - http://hostname/SASLASRAuthorization/rest/servers/details?ticket=ST-37-xdZfcI6wAdiJF0jvL9bl-cas

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - org.springframework.web.client.HttpClientErrorException: 401 Unauthorized

With versions 6.x of VA I never had this problem, all was working with just the standard certificate.

Has anyone any idea? I am stuck.

Thanks, Frances

1 ACCEPTED SOLUTION

Accepted Solutions
franz
Fluorite | Level 6

Hi

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

View solution in original post

7 REPLIES 7
franz
Fluorite | Level 6

FYI, this was fixed. Thanks

dursergio
Calcite | Level 5

Hi Francesco,

how did you solve this problem?

I would be interested for same activity

Thank's

Sergio

shatrughan
Calcite | Level 5

Please let us know how you fixed the issue.

Thanks

franz
Fluorite | Level 6

Hi

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

shatrughan
Calcite | Level 5

Hi francesco,

I tried your suggestions but I am still not able to start my lasr server.

ERROR: OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at
       line 4827, the error message is "error:14090086:SSL
       routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
ERROR: Encryption run-time execution error

ERROR: Unable to register LASR server with authentication service.
NOTE: The SAS System stopped processing this step because of errors.
NOTE: PROCEDURE LASR used (Total process time):
      real time           10.77 seconds
      cpu time            0.04 seconds

Any idea on this error. My sasv9_local.cfg file is point towards /etc/pki/tls/certs/ca-bundle.trust.crt .

I infact tried setting SSLCALISTLOC variable to all sort of cert available like .pem, .csr, .crt etc. but nothing worked for me.

cj_blake
SAS Employee

I had exactly the same problem and I am using a self signed certificate. The problem was resolved by pointing the -sslcalistloc option to the PEM encoded certificate that is being used by the SAS Web Server. After doing that, it all worked perfectly.

franz
Fluorite | Level 6

Hi, yes this is the way described in the SAS Documentation and it works just fine, my answer is applicable for certificates signed by an external CA.

Regards

SAS Innovate 2025: Register Now

Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!

Tips for filtering data sources in SAS Visual Analytics

See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 10184 views
  • 2 likes
  • 4 in conversation