BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
SDV
Obsidian | Level 7 SDV
Obsidian | Level 7

We have SAS 9.4m5 and a recently installed & configured Viya 3.3 environment.  We are trying to connect 9.4m5 to Viya and following the instructions in The SAS Viya 3.3 Admin Guide, and the Configure SAS 9.4 Clients to Work with SAS Viya section.  We'd like for users to be able to use EG to submit code to CAS. Therefore, we are configuring the SAS 9.4 Compute Server to connect with CAS.

 

We did these steps:

  • Copied the SAS Viya CA certificates (vault-sas-service-ca.crt) to the SAS 9.4 compute server
  • Ran the Deployment Manager to add the certificates to the trusted CA bundle for 9.4
    • After selecting the certificate vault-sas-service-ca.crt, we get the error:

                        "Failed to validate the certificate path: Path does not chain with any of the trust anchors.  The certificate(s) were validated in the following order:

subject=CN=SAS VIYA Root CA,issuer=CN=SAS VIYA Root CA 

subject=CN=SAS VIYA Intermediate CA,issuer=CN=SAS VIYA Root CA

 

Anyone know why it is complaining about the certificate?

1 ACCEPTED SOLUTION

Accepted Solutions
SDV
Obsidian | Level 7 SDV
Obsidian | Level 7

With a little help from our friends at SAS Technical Support I was able to get the certificate imported.  Here are the instructions I was given that allowed me to successfully perform the import:

 

  • Edit the trustedcerts.pem file
  • Copy the two certificates that are labelled as 'SAS VIYA Root CA' & 'SAS VIYA Intermediate CA'
  • Copy just the two blocks like this, no comments, in the new file

              -----BEGIN CERTIFICATE-----

             <block of base-64 encoded text>

             -----END CERTIFICATE-----

             -----BEGIN CERTIFICATE-----

             <block of base-64 encoded text>

             -----END CERTIFICATE-----

  • Paste the two certificates into a new file and save as a .pem file
     
    As stated in the SDM panel's text about subject-issuer order with the root cert last, you need the intermediate cert block first, then the root cert block last.
  • Run the SAS Deployment Manager to import the certificate from the new .pem file

Now, off to create the authinfo file...

View solution in original post

5 REPLIES 5
alexal
SAS Employee

@SDV,

 

Because you are using the wrong file. You have to import this file /opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem from SAS Viya server. FYI, in the December 2017 release of SAS 9.4M5 you do not need to do that.

SDV
Obsidian | Level 7 SDV
Obsidian | Level 7

@alexal  I appreciate the reply. I'll try that file.

SDV
Obsidian | Level 7 SDV
Obsidian | Level 7

I copied the file trustedcerts.pem to the SAS 9.4 server, tried the import of it using deployment manager and get "Certificate file is not Base-64 encoded". 

 

The file came from the viya cacerts directory.  I tried to import the cert when it was named trustedcerts.pem and stored in the sas user's home dir, but the deployment manager said it had to be renamed.  I renamed it to tcerts.pem, tried to import it and got the error mentioned above.

 

 

alexal
SAS Employee

@SDV,

 

Please validate the PEM file using these commands:

openssl x509 -in <PATH_TO_PEM_FILE> -text
openssl verify <PATH_TO_PEM_FILE>
SDV
Obsidian | Level 7 SDV
Obsidian | Level 7

With a little help from our friends at SAS Technical Support I was able to get the certificate imported.  Here are the instructions I was given that allowed me to successfully perform the import:

 

  • Edit the trustedcerts.pem file
  • Copy the two certificates that are labelled as 'SAS VIYA Root CA' & 'SAS VIYA Intermediate CA'
  • Copy just the two blocks like this, no comments, in the new file

              -----BEGIN CERTIFICATE-----

             <block of base-64 encoded text>

             -----END CERTIFICATE-----

             -----BEGIN CERTIFICATE-----

             <block of base-64 encoded text>

             -----END CERTIFICATE-----

  • Paste the two certificates into a new file and save as a .pem file
     
    As stated in the SDM panel's text about subject-issuer order with the root cert last, you need the intermediate cert block first, then the root cert block last.
  • Run the SAS Deployment Manager to import the certificate from the new .pem file

Now, off to create the authinfo file...

sas-innovate-2024.png

Don't miss out on SAS Innovate - Register now for the FREE Livestream!

Can't make it to Vegas? No problem! Watch our general sessions LIVE or on-demand starting April 17th. Hear from SAS execs, best-selling author Adam Grant, Hot Ones host Sean Evans, top tech journalist Kara Swisher, AI expert Cassie Kozyrkov, and the mind-blowing dance crew iLuminate! Plus, get access to over 20 breakout sessions.

 

Register now!

Discussion stats
  • 5 replies
  • 3900 views
  • 1 like
  • 2 in conversation