This SAS knowledge base article provides instructions for how to manually configure and/or renew certificates for SAS Environment Manager to enable HTTPS on Linux or UNIX systems. 

Note: The following prerequisites must be satisfied before attempting to perform the steps with this knowledge base article:

•  SAS^® Web Server must already be configured for HTTPS. You either need to have chosen to configure SAS Web Server during the initial installation and configuration with SAS^® Deployment Wizard or manually by following the Configure SAS Web Server Manually for HTTPS documentation.

•  The SAS Web Server certificate-related files must already have been updated by following the Update the Key and Certificate That Are Used by SAS Web Server documentation.

1. Make sure that you have the following files available before proceeding with the rest of the steps:

• your updated server certificate
• the private key corresponding to your updated server certificate
• your intermediate certificate(s)
• your root certificate

Note: Depending on where the SAS Environment Manager service resides, the certificate and key files that need to be used will differ:

• If the SAS Environment Manager service is present on the same machine as a SAS Web Server service, you can use the same files as those used for that SAS Web Server.

• If the SAS Environment Manager service is present on a separate machine where no SAS Web Server service is present, you must use a different set of certificates that have been generated specifically for SAS Environment Manager.

The above files must satisfy the following requirements from the Obtaining a Signed Certificate for SAS Web Server section of the SAS^® 9.4 Intelligence Platform: Security Administration Guide documentation:

• The key file should NOT be protected by a passphrase.
• Both the certificate and key files should NOT be encrypted, but instead should be in 64-bit Privacy-enhanced Electronic Mail (PEM) format.

Note: The resulting certificate files will likely end with a .crt extension. They might end in a .cer extension. They do not have to end in a .pem extension.

You should also explicitly check that the server certificate and its corresponding private key match.

Note: There are various OpenSSL command variants for accomplishing this task. One such set of commands can be found on the SSL Shopper's Certificate Key Matcher page.

SAS Technical Support does not assist with obtaining or generating certificates/keys. The ownership/responsibility of obtaining the correct certificates in the valid format lies with the customer.

 

2. If the SAS Environment Manager service is present on the same machine as a SAS Web Server service, place the files from the previous step in the SAS-configuration-directory/LevN/Web/WebServer/ssl directory.

 

3. Along with the files from step 1, the Networking or Information Security team at your organization might have provided a certificate chain file that itself contains the root certificate, your intermediate certificate(s), and your server certificate.

Assuming that this is the case, if the SAS Web Server is present on the same machine(s) where the SAS Environment Manager service is present, place the chain file in the SAS-configuration-directory/LevN/Web/WebServer/ssl directory.

Otherwise, perform the following steps to create the certificate chain file:

a.   In a text editor, create a new file.

b.   In a separate text editor instance/window/tab, open the root certificate.

c.   Copy the contents of the root certificate into the new file.

d.   Close the root certificate text editor instance, keeping the new file where you pasted its contents open.

e.   In a separate text editor instance/window/tab, open the first intermediate certificate.

f.    Copy the contents of the intermediate certificate directly below the contents of the root certificate.

g.   Close the intermediate certificate text editor instance, keeping the new file where you pasted its contents open.

h.   Repeat the previous three steps for each intermediate certificate that you have.

i.    In a separate text editor instance/window/tab, open the server certificate.

j.    Copy the contents of the server certificate directly below the contents of the last intermediate certificate.

k.   Close the server certificate text editor instance, keeping the new file where you pasted its contents open.

l.    Save the new file with a .pem extension on the machine where the SAS Web Application Server instances are present. If a SAS Web Server is present on the same machine, place it in the SAS-configuration-directory/LevN/Web/WebServer/ssl directory.

 

At this point, the contents of the saved file should resemble the following:

Note: If SAS Environment Manager is already configured for HTTPS and you are simply attempting to update the certificates it is using, skip to Step #7. Otherwise, if you are configuring SAS Environment Manager for HTTPS, proceed with the immediate next step, #4.

 

4. Make a backup copy for each of the following files:·

• SAS-configuration-directory/LevN/Web/SASEnvironmentManager/server-version-EE/hq-engine/hq-server/webapps/ROOT/WEB-INF/spring/security-web-context.xml
• SAS-configuration-directory/LevN/Web/SASEnvironmentManager/server-version-EE/hq-engine/hq-server/webapps/ROOT/WEB-INF/web.xml

 

5. Edit the original files and replace all references of SAS Environment Manager HTTP port (7080 by default) with the SAS Environment Manager HTTPS port (7443 by default) and update the protocol from HTTP to HTTPS.

Note: Change only the URLS where the port is 7080, because those files contain SASLogon URLs, which should NOT be changed.

 

6. Log on to SAS Management Console as an unrestricted user and perform the following tasks:

• On the Plug-ins tab, navigate to Application Management ► Configuration Manager ► SAS Application Infrastructure.
• Right-click DP-SAS-Environment-Manager machine-name and select Properties.
• Select the Internal Connection tab. Change the protocol to HTTPS and the port number to the secure port that was defined during the SAS Deployment Wizard configuration (7443 by default).

 

7. Set the initial environment variables for OpenSSL by executing the following commands:

• export OPENSSL_HOME=<SAS_HOME_DIR>/SASWebServer/9.4/httpd-<VERSION>
• export OPENSSL_CONF=$OPENSSL_HOME/ssl/openssl.cnf
• export PATH=$OPENSSL_HOME/bin:$PATH

 

8. Set the OpenSSL library path environment variable by executing the appropriate command based on your specific UNIX operating system. Note that, for this reason, only one of the following commands should be executed for this step:

Linux or Solaris:

• export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<SAS_HOME_DIR>/SASWebServer/9.4/httpd-<version>/lib

AIX:

• export LIBPATH=<SAS_HOME_DIR>/SASWebServer/9.4/httpd-<version>/lib

HP-UX:

• export SHLIB_PATH=<SAS_HOME_DIR>/SASWebServer/9.4/httpd-<version>/lib:$SHLIB_PATH

 

9. Create a hyperic.p12 file containing the updated certificates by executing the appropriate command based on the type of certificates you are using. Note that, for this reason, only one of the following commands should be executed for this step.

Site-signed or third-party certificate authority (CA) certificates (most common):

• • <SAS_HOME_DIR>/SASWebServer/9.4/httpd-<VERSION>/bin/openssl pkcs12 -export -chain -inkey <PATH_TO_SERVER_KEY.key> -in <PATH_TO_SERVER_CERTIFICATE.crt> -name hq -CAfile <PATH_TO_CERTIFICATE_CHAIN_FILE.pem> -out hyperic.p12

Note: When prompted, enter hyperic for the password.

Self-signed certificates (uncommon):

• • <SAS_HOME_DIR>/SASWebServer/9.4/httpd-<VERSION>/bin/openssl pkcs12 -export -inkey <PATH_TO_SERVER_KEY.key> -in <PATH_TO_SERVER_CERTIFICATE.crt> -name hq -password pass:hyperic -out hyperic.p12

Note: The hyperic.p12 file will be created in the directory where you ran the openssl command.

 

10. Run the following keytool command to create the new hyperic.keystore file from the hyperic.p12 file created in the previous step:

<SAS_HOME_DIR>/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore <PATH_TO_P12_FILE.p12> -destkeystore hyperic.keystore -srcstorepass hyperic -deststorepass hyperic -destkeypass hyperic -alias hq

Note: This command creates the hyperic.keystore file in the directory where you ran the keytool command.

 

11. Once the new hyperic.keystore file has been created, take a backup of your current hyperic.keystore in the SAS-configuration-directory/LevN/Web/SASEnvironmentManager/server-<version>-EE/conf directory. Then, replace the current hyperic.keystore file with the new one created in the previous step.

 

12. Stop the SAS Environment Manager Agent services, SAS Environment Manager, SAS Web Application Server instances, and the SAS Web Server (if they have not been stopped already).

Note: For information about stopping/starting SAS services, see the Operating Your Servers documentation section.

 

13. On the machine where the SAS Web Infrastructure Platform Data Server is installed (typically your primary SAS compute-tier machine), log on as the SAS installer user and then issue the following psql commands:

• POSTGRES_HOME=<SAS_HOME_DIR>/SASWebInfrastructurePlatformDataServer/9.4
• export PATH=${POSTGRES_HOME}/bin:$PATH

 

14. Temporarily add the Postgres library location to the library path environment variable by executing the appropriate command based on your specific UNIX operating system. Note that, for this reason, only one of the following commands should be executed for this step:

Linux or Solaris:

• export LD_LIBRARY_PATH=${POSTGRES_HOME}/lib:$LD_LIBRARY_PATH

AIX:

• export LIBPATH=${POSTGRES_HOME}/lib:$LIBPATH

HP-UX:

• export SHLIB_PATH=${POSTGRES_HOME}/lib:$SHLIB_PATH

 

15. Delete the database entry for the previous keystore by executing the following command:

psql -h localhost -p 9432 -U EVManager -c "delete from public.eam_keystore;"

Note: If this command executes successfully, skip to step 19. Otherwise, proceed with the next step.

 

16. Access the EVManager database by executing the following command:

<SAS_HOME_DIR>/SASWebInfrastructurePlatformDataServer/9.4/bin/psql -h <WIPDS_NAME> -p <WIPDS_PORT> -U <WIPDS_ADMINUSER> -d EVManager

Note: In the command above, please substitute the corresponding values for each placeholder:

• <WIPDS_NAME> refers to the fully qualified domain name of the machine where the SAS Web Infrastructure Platform Data Server is installed, which is the same machine where you are logged on to execute this command. You might also simply use a value of localhost for this reason.

• <WIPDS_PORT> refers to the port used for the SAS Web Infrastructure Platform Data Server that was specified during installation:
  • For Lev1 environments, this is typically the default port of 9432.
  • This port should be the one that can be found by examining the Resource tags with name="sas/jdbc/SharedServices" within your SAS-configuration-directory/LevN/Web/WebAppServer/SASServer1_1/conf/server.xml file.

• <WIPDS_ADMINUSER> refers to the name of the administrative user for the SAS Web Infrastructure Platform Data Server. This is typically EVManager.

 

17. Delete the database entry for the previous keystore by executing the following command:

delete from eam_keystore;

 

18 Quit the psql console by typing \q and pressing Enter.

 

19. Delete the contents of the SAS-configuration-directory/LevN/Web/SASEnvironmentManager/agent-<version>-EE/data directory on all SAS server machines.

 

20. Start the SAS Web Server, SAS Web Application Server instance(s), SAS Environment Manager, and SAS Environment Manager Agent services.

Note: SAS Web Application Servers (especially SASServer1_1) can take a long time to load. Do not proceed until you see the following message at the bottom of your SAS-configuration-directory/Lev/Web/WebAppServer/SASServer1_1/logs/server.log file:

21. Log on to the SAS Environment Manager Web Console (using https://<HOSTNAME>:7443, assuming that the default port is being used).

22. (Optional) To disable non-secure HTTP access on port 7080, follow the steps from the documentation here.