Hello everyone,
I'm trying to use proc http to query a https site. I tried to setup the ssl certificate per the sas documentation (link is below).
link to sas documentation:
Base SAS(R) 9.3 Procedures Guide, Second Edition
I put the following code in my cfg file:
-JREOPTIONS=(
-Djavax.net.ssl.trustStore=C:\Users\Bill\SAS\CACERT\ca-bundle.crt
-Djavax.net.ssl.trustStorePassword=trustStorePassword
SAS opens up and runs fine. Except when I execute the proc http to query the https site, I get the following error:
200 proc http
201 url="&url."
202 method='POST'
203 headerin=header
204 in=body
205 ct='application/x-www-form-urlencoded;charset=UTF-8'
206 headerout=hout
207 out=json;
208 run;
ERROR: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
NOTE: PROCEDURE HTTP used (Total process time):
real time 0.29 seconds
cpu time 0.03 seconds
Should I specify a different file in the cfg file? I tried cacert.pem, but it didn't work. Also, I tried deleting the 2nd line of the jreoptions above (trustStorePassword), but I still got the same error message. Note I'm running SAS 9.3 on Windows Professional. Additionally, I believe the parameters (header, body, etc) , of my request are correct. I can use cURL to query the same site without any issues.
Thank so much for any suggestions.
Regards,
Bill
This issue is due to your file containing multiple concatenated certificates. You either need to extract each certificate to a separate file and then import or you can try using the following tool, which should be able to import the multiple certificates for you in one swoop.
java-keyutil - Java Key Store (JKS) Utility - Google Project Hosting
Thanks for the link. I'm trying to implement the solution proposed by Xia. However, I can't seem to get the jreoption to work correctly.
You cannot set a certificate file as a trustStore, you need to add this certificate to a valid trustStore and then use this trustStore in your configuration. You can build a trustStore, if you don't have one, using the keytools utility.
keytool -genkey -keyalg RSA -alias mycert
-jreoptions (-Dtkj.app.launch.config=!SASROOT/picklist
-Dsas.app.class.path=/usr/local/SAS/SASVersionedJarRepository/9.2/eclipse/plugins/tkjava.jar
-DPFS_TEMPLATE=!SASROOT/misc/base/qrpfstpt.xml
-Djava.security.policy=!SASROOT/misc/base/sas.policy
-Djava.security.auth.login.config=!SASROOT/misc/base/sas.login.config
-Djava.class.path=/usr/local/SAS/SASVersionedJarRepository/9.2/eclipse/plugins/sas.launcher.jar
-Djava.system.class.loader=com.sas.app.AppClassLoader
-Dsas.ext.config=!SASROOT/misc/base/sas.java.ext.config
-Djavax.net.ssl.trustStore=/home/&sysuserid/.keystore
-Djavax.net.ssl.trustStorePassword=q1w2e3)
http://support.sas.com/documentation/cdl/en/proc/61895/HTML/default/viewer.htm#a003286920.htm
FreidEgg,
Thanks very much for your assistance. I'll attempt to build a trustStore and will report back.
Thanks again,
Bill
FriedEgg,
I was able to create the truststore using the syntax that you provided. However, when I try to add cacerts.crt to the truststore, I get an error message, see below. Is this the correct syntax? Do I need to alter the cacerts.crt file?
Thanks!
Bill
C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias mycert -file cacerts.crt -keystore keystore.jks
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Input not an X.509 certificate
Try running just the following:
keytool -printcert -file cacerts.crt
or, get the openssl binary
https://www.openssl.org/related/binaries.html
and try the following:
openssl x509 -in cacerts.crt -text -noout
or (if that doesn't work)
openssl x509 -in cacerts.crt -inform der -text -noout
I tried four different options. The three you suggested as well as attempting to use a cacert.pem file instead of the cacerts.crt. Unfortunately, none of them worked, see below.
Option 1:
C:\Program Files (x86)\Java\jre6\bin>keytool -printcert -file cacerts.crt
keytool error: java.lang.Exception: Failed to parse input
Option 2:
C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacerts.crt -text -noout
unable to load certificate
5644:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:701:Expecting: TRUSTED CERTIFICATE
Option 3:
C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacerts.crt -inform der -text -noout
unable to load certificate
5228:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\cry
pto\asn1\asn1_lib.c:157:
Option 4 (cacert.pem file):
C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 903804111 (0x35def4cf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: Aug 22 16:41:51 1998 GMT
Not After : Aug 22 16:41:51 2018 GMT
Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:
91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:
d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:
04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:
8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:
43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:
97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:
af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:
3a:88:e7:bf:14:fd:e0:c7:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
DirName: C = US, O = Equifax, OU = Equifax Secure Certificate
Authority, CN = CRL1
X509v3 Private Key Usage Period:
Not After: Aug 22 16:41:51 2018 GMT
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D
4
X509v3 Subject Key Identifier:
48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Basic Constraints:
CA:TRUE
1.2.840.113533.7.65.0:
0...V3.0c....
Signature Algorithm: sha1WithRSAEncryption
58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:
95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:
6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:
57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:
a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:
77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:
65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:
77:38
This appeared to work! However, I got an error, when I tried to add the cacert.pem file to the truststore that I created.
C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias mycert -file cacert.pem -keystore keystore.jks
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Input not an X.509 certificate
Since I was able to get further with the cacert.pem file, should I use it instead of cacerts.crt?
Thanks so much for your time with this.
I looked in the file and cannot find the BEGIN CERTIFICATE part. It appears to be encoded. This is what I see when I open it in notepad:
Should I open the file with another program?
At this point I would have to recommend that you consult with the source of the certificate you are trying to import to find out from them what format they have provided you. Once you know that, you should be able to use openssl to convert it to a version compatible with the java keytool.
Thanks for your advice. I consulted with the website admin, and I need to use ca-bundle.crt found at the link immediately below.
http://curl.haxx.se/docs/caextract.html
I downloaded the file and removed any text before the first instance of ---BEGIN CERTIFICATE--. I was able get some info on the certificate, but got an error when I tried to import into the keystore:
C:\Program Files (x86)\Java\jre6\bin>"C:\OpenSSL-Win64\bin\openssl.exe" x509 -in ca-bundle.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 903804111 (0x35def4cf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: Aug 22 16:41:51 1998 GMT
Not After : Aug 22 16:41:51 2018 GMT
Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:5d:b1:58:67:08:62:ee:a0:9a:2d:1f:08:6d:
91:14:68:98:0a:1e:fe:da:04:6f:13:84:62:21:c3:
d1:7c:ce:9f:05:e0:b8:01:f0:4e:34:ec:e2:8a:95:
04:64:ac:f1:6b:53:5f:05:b3:cb:67:80:bf:42:02:
8e:fe:dd:01:09:ec:e1:00:14:4f:fc:fb:f0:0c:dd:
43:ba:5b:2b:e1:1f:80:70:99:15:57:93:16:f1:0f:
97:6a:b7:c2:68:23:1c:cc:4d:59:30:ac:51:1e:3b:
af:2b:d6:ee:63:45:7b:c5:d9:5f:50:d2:e3:50:0f:
3a:88:e7:bf:14:fd:e0:c7:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
DirName: C = US, O = Equifax, OU = Equifax Secure Certificate
Authority, CN = CRL1
X509v3 Private Key Usage Period:
Not After: Aug 22 16:41:51 2018 GMT
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D
4
X509v3 Subject Key Identifier:
48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Basic Constraints:
CA:TRUE
1.2.840.113533.7.65.0:
0...V3.0c....
Signature Algorithm: sha1WithRSAEncryption
58:ce:29:ea:fc:f7:de:b5:ce:02:b9:17:b5:85:d1:b9:e3:e0:
95:cc:25:31:0d:00:a6:92:6e:7f:b6:92:63:9e:50:95:d1:9a:
6f:e4:11:de:63:85:6e:98:ee:a8:ff:5a:c8:d3:55:b2:66:71:
57:de:c0:21:eb:3d:2a:a7:23:49:01:04:86:42:7b:fc:ee:7f:
a2:16:52:b5:67:67:d3:40:db:3b:26:58:b2:28:77:3d:ae:14:
77:61:d6:fa:2a:66:27:a0:0d:fa:a7:73:5c:ea:70:f1:94:21:
65:44:5f:fa:fc:ef:29:68:a9:a2:87:79:ef:79:ef:4f:ac:07:
77:38
C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -alias sslcert -file ca-bundle.crt -keystore keystore.jks
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate
This issue is due to your file containing multiple concatenated certificates. You either need to extract each certificate to a separate file and then import or you can try using the following tool, which should be able to import the multiple certificates for you in one swoop.
java-keyutil - Java Key Store (JKS) Utility - Google Project Hosting
Thanks for the link! There are several certificates in the ca-bundle.crt file, so I definitely want to import them all at once.
I tried using the keytool utility but it cannot find the crt file that I'm trying to import. Note the file (ca-bundle.crt) is in the java bin directory (C:\Program Files (x86)\Java\jre6\bin).
C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file ca-bundle.crt --import-jks-file trustStore.jks:changeit
The system cannot find the file specified.
C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file C:\Program Files (x86)\Java\jre6\bin\ca-bundle.crt --import-jks-file trustStore.jks:changeit
The system cannot find the file specified.
C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --new-keystore trustStore.jks --password <changeit> \ --import-pem-file "C:\Program Files (x86)\Java\jre6\bin\ca-bundle.crt" --import-jks-file trustStore.jks:changeit
The system cannot find the file specified.
Also, I tried to import the certifcates from a p7b file (read a post on stackoverflow link below), but ran into the same issue. Java cannot find the file even though cachain.p7b is in the java bin directory.
openssl - How to add certificate chain to keystore? - Stack Overflow
C:\Program Files (x86)\Java\jre6\bin>keytool -import -trustcacerts -file cachain.p7b -keystore keystore -storepass <password> -alias "mycert"
The system cannot find the file specified.
FriedEgg,
Thanks very much for your help with this issue. I used the java keyutil to add all the certificates in the ca-bundle.crt file to the keystore. However, I had to modify the syntax on the keyutil page to get it to work.
CMD window:
Creates keystore and adds ca-bundle.crt
C:\Program Files (x86)\Java\jre6\bin>java -jar keyutil-0.4.0.jar --import --new-keystore keystore.jks --password changeit --import-pem-file ca-bundle.crt
Check to see if certificates are loaded:
C:\Program Files (x86)\Java\jre6\bin>keytool -list -keystore keystore.jks
In sas config file:
-JREOPTIONS=(
-DPFS_TEMPLATE=!SASROOT\tkjava\sasmisc\qrpfstpt.xml
-Djava.class.path=C:\PROGRA~1\SASHome\SASVER~1\eclipse\plugins\SASLAU~1.JAR
-Djava.security.auth.login.config=!SASROOT\tkjava\sasmisc\sas.login.config
-Djava.security.policy=!SASROOT\tkjava\sasmisc\sas.policy
-Djava.system.class.loader=com.sas.app.AppClassLoader
-Dlog4j.configuration=file:/C:/Program%20Files/SASHome/SASFoundation/9.3/tkjava/sasmisc/sas.log4j.properties
-Dsas.app.class.path=C:\PROGRA~1\SASHome\SASVER~1\eclipse\plugins\tkjava.jar
-Dsas.ext.config=!SASROOT\tkjava\sasmisc\sas.java.ext.config
-Dsas.jre.libjvm=C:\PROGRA~2\Java\jre6\bin\client\jvm.dll
-Dtkj.app.launch.config=C:\PROGRA~1\SASHome\SASVER~1\picklist
-Djavax.net.ssl.trustStore=C:\PROGRA~2\Java\jre6\bin\keystore.jks
-Djavax.net.ssl.trustStorePassword=changeit
-Xms128m
-Xmx128m
)
Regards,
Bill
Don't miss out on SAS Innovate - Register now for the FREE Livestream!
Can't make it to Vegas? No problem! Watch our general sessions LIVE or on-demand starting April 17th. Hear from SAS execs, best-selling author Adam Grant, Hot Ones host Sean Evans, top tech journalist Kara Swisher, AI expert Cassie Kozyrkov, and the mind-blowing dance crew iLuminate! Plus, get access to over 20 breakout sessions.
Learn the difference between classical and Bayesian statistical approaches and see a few PROC examples to perform Bayesian analysis in this video.
Find more tutorials on the SAS Users YouTube channel.