Sometimes I forget whether I’ve added our internal site root and intermediate CA certificates to the Trusted CA Bundle that SAS® Software applications use. Sometimes I also forget the command I can use to find out whether I did! ;) As is often the case with my blog posts, by jotting things down here, I can find them again either by searching this blog, or more likely, by remembering I wrote it when I see it turn up in Google search results!
If you use site-signed certificates from your own internal CA in your SAS platform installations then you’re probably already familiar with adding them to the Trusted CA Bundle using the SAS Deployment Manager (see the Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager section in the Encryption in SASĀ® 9.4 book for more info).
If you want to find out what CA certificates are already in that bundle you can use the Java keytool command like so:
/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit
It generates a long list of CA certs, so I pipe it through grep to look for the ones I want:
/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit | grep -i metacoda
If you want more details on the certificates you can add the -v option and pipe it through less to browse and slash-search the results:
/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit -v | less
Keytool also comes in handy when Configuring SAS Environment Manager for HTTPS and you want to review the contents of the hyperic.keystore:
/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/config/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hyperic.keystore -storepass hyperic
… once again adding -v if you want more details (and | less to browse/search them):
/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/config/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE/conf/hyperic.keystore -storepass hyperic -v | less
… and finally if you want to confirm which certificate SAS Environment Manager is using the openssl s_client is very useful:
openssl s_client -connect myserver.example.com:7443
NOTE: use Control-D or upper-case Q to terminate s_client after looking at the certificate details.
Hello Paul,
This is very handy, thanks for your post : next time I’ll google for such a command, then I will be able to narrow down the search scope with platformadmin.com domain ;)
I recently had to install a 9.4 Office Analytics Platform with SSL and this paper proved essential reading as regards SSL as a whole and specifically applied to the installation of SAS 9 platforms :
http://support.sas.com/resources/papers/proceedings16/SAS3441-2016.pdf
Ronan
Hi Ronan,
Thanks for the feedback and the link to the paper. That paper is a great resource for SAS admins!
Cheers
Paul