Solved: Re: VA 7.1 using HTTPS

franz · Posted 10-28-2014 11:46 AM

Hi,

I have installed VA 7.1 SMP, the mid tier is configured to use HTTPS, we use a certificate signed by Thwate. I am having a problem when trying to start the LASR Server, I get the following error:

ERROR: Unable to register LASR server with authentication service.

I have setup the SSLCALISTLOC option for the SAS Workspace to correctly point to the pem certificate used by the SAS Web Server but I end up with the same error, I have also created a certficate with all the certificates in the CA path and again I get the same error.

SAS Tech Support have suggested to change the protocol to HTTP for just the SASLASRAuthorization endpoint, which I have done. I have changed the LASR Auth service definition in the Metadata and also added a RewriteRule to the Web Server configuration so that all services but SASLASRAuthorization are redirected to HTTPS if called with HTTP.

This way I can start the LASR Server from SAS SAS BASE or EG, but I get a different error from within the web applications, related to spring CAS.

2014-10-27 15:38:09,224 [tomcat-http--25] ERROR org.jasig.cas.CentralAuthenticationServiceImpl - ServiceTicket [ST-37-xdZfcI6wAdiJF0jvL9bl-cas] with service [http://hostname/SASLASRAuthorization/rest/servers/details does not match supplied service [https://hostname/SASLASRAuthorization/rest/servers/details]

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - http://hostname/SASLASRAuthorization/rest/servers/details?ticket=ST-37-xdZfcI6wAdiJF0jvL9bl-cas

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - org.springframework.web.client.HttpClientErrorException: 401 Unauthorized

With versions 6.x of VA I never had this problem, all was working with just the standard certificate.

Has anyone any idea? I am stuck.

Thanks, Frances

franz · Posted 02-25-2015 08:19 AM

Hi

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

View solution in original post

franz · Posted 12-18-2014 09:36 AM

FYI, this was fixed. Thanks

dursergio · Posted 12-18-2014 11:50 AM

Hi Francesco,

how did you solve this problem?

I would be interested for same activity

Thank's

Sergio

shatrughan · Posted 02-25-2015 05:06 AM

Please let us know how you fixed the issue.

Thanks

franz · Posted 02-25-2015 08:19 AM

Hi

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

shatrughan · Posted 03-17-2015 01:28 AM

Hi francesco,

I tried your suggestions but I am still not able to start my lasr server.

ERROR: OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at
line 4827, the error message is "error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
ERROR: Encryption run-time execution error

ERROR: Unable to register LASR server with authentication service.
NOTE: The SAS System stopped processing this step because of errors.
NOTE: PROCEDURE LASR used (Total process time):
real time 10.77 seconds
cpu time 0.04 seconds

Any idea on this error. My sasv9_local.cfg file is point towards /etc/pki/tls/certs/ca-bundle.trust.crt .

I infact tried setting SSLCALISTLOC variable to all sort of cert available like .pem, .csr, .crt etc. but nothing worked for me.

cj_blake · Posted 03-21-2015 05:35 AM

I had exactly the same problem and I am using a self signed certificate. The problem was resolved by pointing the -sslcalistloc option to the PEM encoded certificate that is being used by the SAS Web Server. After doing that, it all worked perfectly.

franz · Posted 03-25-2015 09:42 AM

Hi, yes this is the way described in the SAS Documentation and it works just fine, my answer is applicable for certificates signed by an external CA.

Regards

SAS Innovate 2025: Save the Date