This SAS knowledge base article provides instructions for how to manually configure and/or renew certificates for SAS Environment Manager to enable HTTPS on Windows systems.
Note: The following prerequisites must be satisfied before attempting the steps within this knowledge base article:
• SAS® Web Server must already be configured for HTTPS. You either need to have chosen to configure SAS Web Server during the initial installation and configuration with the SAS Deployment Wizard, or manually configure SAS Web Server by following the Configure SAS Web Server Manually for HTTPS documentation.
• The SAS Web Server certificate-related files must already have been updated by following the Update the Key and Certificate That Are Used by SAS Web Server documentation.
Note: These instructions must be performed on the machine that contains the SAS Environment Manager service.
1. Make sure that you have the following files available before proceeding with the rest of the steps:
Note: Depending on where the SAS Environment Manager service resides, the certificate and key files that you must use will differ:
The above files must satisfy the following requirements from the Obtaining a Signed Certificate for SAS Web Server section of the SAS® 9.4 Intelligence Platform: Security Administration Guide documentation:
Note: The resulting certificate files will likely end with a .crt extension. They might end in a .cer extension. They do not have to end in a .pem. extension.
You should also explicitly check that the server certificate and its corresponding private key match.
Note: There are various OpenSSL command variants for accomplishing this task. One such set of commands can be found on the SSL Shopper's Certificate Key Matcher page.
SAS Technical Support does not assist with obtaining or generating certificates/keys. The ownership/responsibility for obtaining the correct certificates in the valid format lies with the customer.
2. If the SAS Environment Manager service is present on the same machine as a SAS Web Server service, place the files from the previous step in the SAS-configuration-directory\LevN\Web\WebServer\ssl directory.
3. Along with the files from step 1, the Networking or Information Security team at your organization might have provided a certificate chain file that itself contains the root certificate, your intermediate certificate(s), and your server certificate.
Assuming that this is the case, if the SAS Web Server is present on the same machine(s) where the SAS Environment Manager service is present, place the chain file in the SAS-configuration-directory\LevN\Web\WebServer\ssl directory.
Otherwise, perform the following steps to create the certificate chain file:
a. In a text editor, create a new file.
b. In a separate text editor instance/window/tab, open the root certificate.
c. Copy the contents of the root certificate into the new file.
d. Close the root certificate text editor instance, keeping the new file where you pasted its contents open.
e. In a separate text editor instance/window/tab, open the first intermediate certificate.
f. Copy the contents of the intermediate certificate directly below the contents of the root certificate.
g. Close the intermediate certificate text editor instance, keeping the new file where you pasted its contents open.
h. Repeat the previous three steps for each intermediate certificate that you have.
i. In a separate text editor instance/window/tab, open the server certificate.
j. Copy the contents of the server certificate directly below the contents of the last intermediate certificate.
k. Close the server certificate text editor instance, keeping the new file where you pasted its contents open.
l. Save the new file with a .pem extension on the machine where the SAS® Web Application Server instances are present. If a SAS Web Server is present on the same machine, place it in the SAS-configuration-directory\LevN\Web\WebServer\ssl directory.
At this point, the contents of the saved file should resemble the following:
Note: If SAS Environment Manager is already configured for HTTPS and you are simply attempting to update the certificates that it is using, skip to Step #7. Otherwise, if you are configuring SAS Environment Manager for HTTPS, proceed with the immediate next Step, #4.
4. Make a backup copy for each of the following files:·
5. Edit the original files and replace all references of SAS Environment Manager HTTP port (7080 by default) with the SAS Environment Manager HTTPS port (7443 by default) and update the protocol from HTTP to HTTPS.
Note: Change the URLS only where the port is 7080 because those files contain SASLogon URLs, which should NOT be changed.
6. Log on to SAS Management Console as an unrestricted user and perform the following tasks:
7. In a command-prompt session, run the following command to create an environment variable that points to the OpenSSL install directory:
set OPENSSL_HOME=<SAS_HOME_DIR>\SASWebServer\9.4\<HTTPD-VERSION>
8. Run the following command to create an environment variable that forces the OpenSSL tool to look for a configuration file in an alternative location:
set OPENSSL_CONF=%OPENSSL_HOME%\ssl\openssl.cnf
Note: If you cannot find this file in this location, be sure to check the other versions of httpd* for this openssl.cnf file.
Note: Starting with SAS® 9.4M6, you must generate your own openssl.cnf file. See the Preparation for Setting Up Digital Certificates documentation for details.
Note: It is often possible to proceed without an openssl.cnf file. If you do not already have one, it might be preferable to proceed without the file instead of attempting to create it. A warning might be displayed but it should not prevent the use of the openssl executable to generate the hyperic.p12 file in Step #7.
9. If your SASHome and configuration directories are located on different volumes (such as C:\ and D:\), run the following command to prevent an "unable to write 'random state'" warning message:
Note: In the command above, substitute the corresponding values for each placeholder:
If you receive the aforementioned warning when executing later openssl commands, you might need to specify a different drive and/or folder due to your environment's setup.
10. Run the following command to add the path to the OpenSSL binaries to your computer's path variable:
set PATH=%OPENSSL_HOME%\bin:%PATH%
11. Create a hyperic.p12 file containing the updated certificates by executing the appropriate command based on the type of certificates you are using. Note that, for this reason, only one of the following commands should be executed for this step:
Site-signed or third-party certificate authority (CA) certificates (most common):
NOTE: When prompted, enter hyperic for the password.
Self-signed certificates (uncommon):
Note: The hyperic.p12 file will be created in the directory where you ran the openssl command.
12. Run the following keytool command to create the new hyperic.keystore file from the hyperic.p12 file created in the previous step:
<SAS_HOME_DIR>\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\keytool.exe -importkeystore -srcstoretype PKCS12 -srckeystore <PATH_TO_P12_FILE.p12> -destkeystore hyperic.keystore -srcstorepass hyperic -deststorepass hyperic -destkeypass hyperic -alias hq
Note: This command creates the hyperic.keystore file in the directory where you ran the keytool command.
13. Once the new hyperic.keystore file has been created, take a backup of your current hyperic.keystore in the SAS-configuration-directory\LevN\Web\SASEnvironmentManager\server-<version>-EE\conf directory. Then, replace the current hyperic.keystore file with the new one created in the previous step.
14. Stop the SAS Environment Manager Agent services, SAS Environment Manager, SAS Web Application Server instances, and the SAS Web Server (if they have not been stopped already).
Note: For information about stopping/starting SAS services, see the Operating Your Servers documentation section.
15. On the machine where the SAS® Web Infrastructure Platform Data Server is installed (typically your primary SAS compute-tier machine), open a command prompt window and log on as the SAS installer user.
16. In the command prompt window, run the following command:
<SAS_HOME_DIR>\SASWebInfrastructurePlatformDataServer\9.4\bin\psql -h <WIPDS_NAME> -p <WIPDS_PORT> -U <WIPDS_ADMINUSER> -d EVManager
Note: In the command above, substitute the corresponding values for each placeholder:
17. In the resulting psql prompt, run the following command:
delete from eam_keystore;
18. Quit the psql console by typing \q and pressing Enter.
19. Delete the contents of the SAS-configuration-directory\LevN\Web\SASEnvironmentManager\agent-<version>-EE\data directory on all SAS server machines.
20. Start the SAS Web Server, SAS Web Application Server instance(s), SAS NManager, and SAS Environment Manager Agent services.
Note: SAS Web Application Servers (especially SASServer1_1) can take a long time to load. Do not proceed until you see the following message at the bottom of your SAS-configuration-directory\LevN\Web\WebAppServer\SASServer1_1\logs\server.log file:
Note: The SAS Environment Manager Agent service should be started by running Command Prompt as Administrator and then running the following command:
21. Log on to the SAS Environment Manager Web Console (using https://<HOSTNAME>:7443, assuming that the default port is being used).
22. (Optional) To disable non-secure HTTP access on port 7080, follow the steps from the documentation here.