SAS Viya 4 (2021.1.2) with LDAPS to Windows 2012 R2

I recently installed a local copy of SAS Viya 4 (2021.1.2) in our Kubernetes lab environment and was trying to configure it to work with a test AD server, Windows 2012 R2. The AD server had been configured to only allow TLS (LDAPS) connections and so after the initial installation of SAS Viya I configured the SAS Identities service to use LDAPS, as explained in the SAS documentation.

Unfortunately it didn’t work at first. I was getting errors that turned out to be a TLS cipher mismatch between the client (SAS Identities service) and the server (Windows 2012 R2 AD). I was able to fix it using two methods:

  1. Re-enabling LDAP connections to AD and switching back from LDAPS to LDAP connections for the SAS Identities service (not preferred)
  2. Tweaking the configuration of the SAS Identities service to support a cipher that worked with Windows 2012 R2 AD (preferred)

Of course I could have also upgraded AD from Windows 2012 R2 to a more recent version, but that is a project for another day as I still want to continue working with the older version for the time being.

For future reference, and in case it helps anybody else, here are my notes Continue reading “SAS Viya 4 (2021.1.2) with LDAPS to Windows 2012 R2”

Metacoda Identity Sync and Microsoft Security Advisory ADV190023

Those of you who use Metacoda Identity Sync may have already heard about Microsoft Security Advisory ADV190023. You may have heard about it from Stuart Rogers’ post on SAS Communities: SAS Viya The Importance of LDAP Encryption. Stuart’s article is about SAS Viya, but the Microsoft changes may have an impact on those sites that do LDAP-based identity synchronization with their SAS 9 platforms too. This includes Metacoda customers that use Metacoda Identity Sync. Naturally, this is something we have been getting some questions about recently – “How will it impact on the identity sync process?”

I think a good place to start would be to read the linked articles above, then discuss with your domain admins. They will be able to tell you if they plan on making the recommended changes and, if so, when they plan to make them. This might require you to change the way you configure your LDAP connection.

There has been some confusion about what changes Microsoft will make and when. It also looks like the extent and timing of those changes has evolved over time too. Quoting some of the sections of the advisory, as of today: Continue reading “Metacoda Identity Sync and Microsoft Security Advisory ADV190023”

Reviewing SSL/TLS Certificate Chain for Active Directory Server

Sometimes when I am setting up, or helping someone setup, identity synchronisation between the SAS® platform and Microsoft Active Directory (AD), I run into SSL/TLS certificate validation issues. I am usually using Metacoda Identity Sync, but it can also happen when doing a sync with custom Base SAS code. Often the underlying cause is that the AD server’s CA certificate is not in the SAS Private JRE Trusted CA Bundle (see Did I add that CA Certificate to the SAS Trusted CA Bundle?). When troubleshooting this, one of the first things I will do is look at the certificate that the AD server is providing, and I mostly use an OpenSSL s_client command for this. There are 4 command variations I use depending on whether I am trying to use the main directory or the global catalog, and with LDAP plus STARTTLS, or just LDAPS.

For connecting to the main directory on the unencrypted LDAP port 389 with an upgrade to encrypted using STARTTLS:

echo "Q" | openssl s_client -connect dc.example.com:389 -starttls ldap -showcerts

For connecting to the main directory on the encrypted LDAPS port 636:

echo "Q" | openssl s_client -connect dc.example.com:636 -showcerts

For connecting to the global catalog on the unencrypted port 3268 with an upgrade to encrypted using STARTTLS:

echo "Q" | openssl s_client -connect gc.example.com:3268 -starttls ldap -showcerts

For connecting to the global catalog on the encrypted port 3269:

echo "Q" | openssl s_client -connect gc.example.com:3269 -showcerts

If you want to examine the returned certificate in more detail then you can also pipe it to an OpenSSL x509 command e.g.

echo "Q" | openssl s_client -connect dc.example.com:389 -starttls ldap -showcerts | openssl x509 -noout -text

If you have questions, or any other tips for troubleshooting SSL/TLS certificates with AD, then please leave a comment below.

Did I add that CA Certificate to the SAS Trusted CA Bundle?

Sometimes I forget whether I’ve added our internal site root and intermediate CA certificates to the Trusted CA Bundle that SAS® Software applications use. Sometimes I also forget the command I can use to find out whether I did! ;) As is often the case with my blog posts, by jotting things down here, I can find them again either by searching this blog, or more likely, by remembering I wrote it when I see it turn up in Google search results!

If you use site-signed certificates from your own internal CA in your SAS platform installations then you’re probably already familiar with adding them to the Trusted CA Bundle using the SAS Deployment Manager (see the Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager section in the Encryption in SASĀ® 9.4 book for more info).

If you want to find out what CA certificates are already in that bundle you can use the Java keytool command like so:

/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit

It generates a long list of CA certs, so I pipe it through grep to look for the ones I want:

/opt/sas94m5/sashome/SASPrivateJavaRuntimeEnvironment/9.4/jre/bin/keytool -list -keystore /opt/sas94m5/sashome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks -storepass changeit | grep -i metacoda

If you want more details on the certificates you can Continue reading “Did I add that CA Certificate to the SAS Trusted CA Bundle?”