Finding the SAS Viya 4 Consul Token

When you are working with the SAS® Viya® REST APIs you need to do a one-off registration process for your client using the Consul Token.

The SAS documentation for SAS REST APIs: Authentication & Authorization: Registering clients explains how to get access to the Consul client.token by looking in the file system at /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token

Now, SAS Viya 4 is based on Kubernetes and has lots of pods each with their own file system, so I was wondering where I’d locate this file. I started looking in the sas-login-app pod but didn’t find it there. Next stop was one of the sas-consul-server pods and that was where I found it (makes sense really, I should have started there!).

Now I know where to find it, in future I will use the following kubectl command to quickly print out the Consul client.token when I need it:

kubectl exec -q -n sasviyadev sas-consul-server-0 -c sas-consul-server -- cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token

… replacing sasviyadev with the name of the namespace in which SAS Viya 4 has been deployed.

After discovering the consul token using the method above I subsequently found a documented method in the SAS Viya Administration: Authentication: Additional Authentication Topics: Register a New Client ID

kubectl -n sasviyadev get secret sas-consul-client -o go-template='{{(index .data "CONSUL_HTTP_TOKEN")}}'| base64 -d

… so now I know two ways!

If you have any other helpful tips for locating the SAS Viya 4 Consul token please leave a comment below.

Useful SAS Viya 4 Kubernetes Resources

This is a quick post to list a bunch of resources I found useful in understanding and deploying SAS® Viya® 4 on the Kubernetes platform:

Overview
Installation
Migration
Management/Monitoring
Backup/Restore/DR

Thanks to all the authors for sharing their knowledge and experiences with us.

If you know of any others you think I should read and add to this list then please let me know in a comment below.

SAS Viya 4 (2021.1.2) with LDAPS to Windows 2012 R2

I recently installed a local copy of SAS Viya 4 (2021.1.2) in our Kubernetes lab environment and was trying to configure it to work with a test AD server, Windows 2012 R2. The AD server had been configured to only allow TLS (LDAPS) connections and so after the initial installation of SAS Viya I configured the SAS Identities service to use LDAPS, as explained in the SAS documentation.

Unfortunately it didn’t work at first. I was getting errors that turned out to be a TLS cipher mismatch between the client (SAS Identities service) and the server (Windows 2012 R2 AD). I was able to fix it using two methods:

  1. Re-enabling LDAP connections to AD and switching back from LDAPS to LDAP connections for the SAS Identities service (not preferred)
  2. Tweaking the configuration of the SAS Identities service to support a cipher that worked with Windows 2012 R2 AD (preferred)

Of course I could have also upgraded AD from Windows 2012 R2 to a more recent version, but that is a project for another day as I still want to continue working with the older version for the time being.

For future reference, and in case it helps anybody else, here are my notes Continue reading “SAS Viya 4 (2021.1.2) with LDAPS to Windows 2012 R2”

Installing SAS Viya 4 (2021.1.2) Locally

I have been wanting to get SAS® Viya 4 running locally on our lab hardware to further investigate the REST APIs, and having just finished the installation, I thought I’d jot down a few notes.

SAS Viya 4 has initially been released for the main cloud providers: Microsoft Azure (AKS) first, and now Amazon (EKS) and Google (GKE) too. I understand that RedHat OpenShift support will be coming later this year.

I’d heard it was also possible to get it running in a local on-premise Kubernetes (K8s) environment with some prep work Continue reading “Installing SAS Viya 4 (2021.1.2) Locally”

Nudging SAS Viya Services Timeout

I had been puzzling over why some SAS® Viya™ services were not starting on a machine reboot. Initially I thought the answer appeared in the SAS Viya 3.2 Administration documentation set: see the General Servers and Services: Troubleshooting section.

I found that all the expected services started after:

[root@hostname ~]# /etc/init.d/sas-viya-all-services stop
[root@hostname ~]# rm -f /opt/sas/viya/config/data/consul/checks/*
[root@hostname ~]# /etc/init.d/sas-viya-all-services start
[root@hostname ~]# /etc/init.d/sas-viya-all-services status

However, on further investigation it turned out that it probably wasn’t a problem with those consul/checks files. After another reboot I found that, once again, only a subset of the services had started. Using systemctl to check the status I found the following: Continue reading “Nudging SAS Viya Services Timeout”