Exploring, predicting and reporting with SAS Visual Analytics and SAS Visual Statistics

VA 7.1 using HTTPS

Accepted Solution Solved
Reply
Occasional Contributor
Posts: 14
Accepted Solution

VA 7.1 using HTTPS

Hi,

I have installed VA 7.1 SMP, the mid tier is configured to use HTTPS, we use a certificate signed by Thwate. I am having a problem when trying to start the LASR Server, I get the following error:

ERROR: Unable to register LASR server with authentication service.

I have setup the SSLCALISTLOC option for the SAS Workspace to correctly point to the pem certificate used by the SAS Web Server but I end up with the same error, I have also created a certficate with all the certificates in the CA path and again I get the same error.

SAS Tech Support have suggested to change the protocol to HTTP for just the SASLASRAuthorization endpoint, which I have done. I have changed the LASR Auth service definition in the Metadata and also added a RewriteRule to the Web Server configuration so that all services but SASLASRAuthorization are redirected to HTTPS if called with HTTP.

This way I can start the LASR Server from SAS SAS BASE or EG, but I get a different error from within the web applications, related to spring CAS.

2014-10-27 15:38:09,224 [tomcat-http--25] ERROR org.jasig.cas.CentralAuthenticationServiceImpl - ServiceTicket [ST-37-xdZfcI6wAdiJF0jvL9bl-cas] with service [http://hostname/SASLASRAuthorization/rest/servers/details does not match supplied service [https://hostname/SASLASRAuthorization/rest/servers/details]

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - http://hostname/SASLASRAuthorization/rest/servers/details?ticket=ST-37-xdZfcI6wAdiJF0jvL9bl-cas

2014-10-27 15:38:09,228 [tomcat-http--45] ERROR [ST-29-l5Wxwhx76DgPCMubXvYZ-caslsradmin] com.sas.lasr.mgmt.client.serviceproxy.LasrMgmtServiceProxy - org.springframework.web.client.HttpClientErrorException: 401 Unauthorized

With versions 6.x of VA I never had this problem, all was working with just the standard certificate.

Has anyone any idea? I am stuck.

Thanks, Frances


Accepted Solutions
Solution
‎02-25-2015 08:19 AM
Occasional Contributor
Posts: 14

Re: VA 7.1 using HTTPS

Hi

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

View solution in original post


All Replies
Occasional Contributor
Posts: 14

Re: VA 7.1 using HTTPS

FYI, this was fixed. Thanks

N/A
Posts: 1

Re: VA 7.1 using HTTPS

Hi Francesco,

how did you solve this problem?

I would be interested for same activity

Thank's

Sergio

Occasional Contributor
Posts: 10

Re: VA 7.1 using HTTPS

Please let us know how you fixed the issue.

Thanks

Solution
‎02-25-2015 08:19 AM
Occasional Contributor
Posts: 14

Re: VA 7.1 using HTTPS

Hi

My certificate is signed by Thwate, ie an "official" certificates provider, this means the root and intermediate certificates are already installed on the system (in my case RHEL) when you install openSSL so I pointed SAS to the certificate bundle that comes with openSSL.

To confirm the correct location of the certicates bundle, on your system type

[root@srvname certs]# openssl version -d

OPENSSLDIR: "/etc/pki/tls"

[root@srvname certs]# pwd

/etc/pki/tls/certs

[root@srvname certs]# ls -l

total 1768

-rw-r--r--. 1 root root 786601 Jun 24 11:22 ca-bundle.crt

-rw-r--r--. 1root root 1005005 Jun 24 11:22 ca-bundle.trust.crt

....

then in SAS cfg file

/sas/SASHome/SASFoundation/9.4/sasv9_local.cfg

add the following line

-sslcalistloc /etc/pki/tls/certs/ca-bundle.trust.crt

and that's it. Note that you can add the sslcalistloc in other cfg files, I added it to the foundation cfg file because that way it's picked up by all SAS processes, regardless of their class (ie workspace, stp server, olap and so on).

SAS documentation is not very clear and I find it misleading in cases like this where the certificate is not self-signed.

Hope this helps, regards

Occasional Contributor
Posts: 10

Re: VA 7.1 using HTTPS

Hi francesco,

I tried your suggestions but I am still not able to start my lasr server.

ERROR: OpenSSL error 336134278 (0x14090086) occurred in SSL_connect/accept at
       line 4827, the error message is "error:14090086Smiley FrustratedSL
       routinesSmiley FrustratedSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
ERROR: Encryption run-time execution error

ERROR: Unable to register LASR server with authentication service.
NOTE: The SAS System stopped processing this step because of errors.
NOTE: PROCEDURE LASR used (Total process time):
      real time           10.77 seconds
      cpu time            0.04 seconds

Any idea on this error. My sasv9_local.cfg file is point towards /etc/pki/tls/certs/ca-bundle.trust.crt .

I infact tried setting SSLCALISTLOC variable to all sort of cert available like .pem, .csr, .crt etc. but nothing worked for me.

New Contributor
Posts: 3

Re: VA 7.1 using HTTPS

I had exactly the same problem and I am using a self signed certificate. The problem was resolved by pointing the -sslcalistloc option to the PEM encoded certificate that is being used by the SAS Web Server. After doing that, it all worked perfectly.

Occasional Contributor
Posts: 14

Re: VA 7.1 using HTTPS

Hi, yes this is the way described in the SAS Documentation and it works just fine, my answer is applicable for certificates signed by an external CA.

Regards

🔒 This topic is solved and locked.

Need further help from the community? Please ask a new question.

Discussion stats
  • 7 replies
  • 4039 views
  • 2 likes
  • 4 in conversation