Add Your Certificates to the SAS Private JRE

Prior to the third maintenance release for SAS 9.4, there is no SAS Deployment Manager task to help you manage any certificates that you provide. If you are providing your own certificates, then you must add the CA root certificate and all of its intermediate certificates to the SAS Private JRE using the keytool -importcert command.
Note: If you have any Windows machines, you must also add the CA root and intermediate certificates to the Windows certificates stores. For more information, see Add Your Certificates to the Windows CA Stores.
To add CA root and intermediate certificates, perform these steps:
  1. Log on to the primary middle-tier machine as the SAS Installer user.
  2. Change the directory to where your keytool commands reside.
    For example:
    cd /usr/java/jdk_version/bin
  3. Enter the following command. Refer to the table for information that you must provide.
    ./keytool –importcert –keystore "SAS-installation-directory
    /SASPrivateJavaRuntimeEnvironment/9.4/jre/lib/security/cacerts" 
    –storepass changeit –alias myhost –file path-to-keystore.jks
    Note: The keytool command must be on one line. It is shown on more than one line in the preceding code sample for display purposes only.
    Tip
    For more information about the keytool command, see http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html.
    User-Supplied Values for the Keytool Command
    Value
    Description
    Examples
    SAS-installation-directory
    Location on the machine where SAS is installed
    C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\lib\security
    myhost
    Fully qualified machine name
    my_server.example.com
    path-to-keystore.jks
    Absolute path to the keystore
    /opt/certs/my_keystore.jks
  4. Repeat step 3 to add your CA intermediate certificates.
  5. To verify that your CA root and intermediate certificates were successfully added, enter the following command:
    path-to-keytool-command/keytool -list -keystore /SAS-installation-directory
    /SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks
    For example:
    /usr/java/jdk1.8.0_45/bin/keytool -list -keystore 
    /opt/SASHome/SASSecurityCertificateFramework/1.1/cacerts/trustedcerts.jks
    You should see output similar to the following:
    intca, Oct 15, 2015, trustedCertEntry,
    Certificate fingerprint (SHA1): 12:4D:C9:88:CD:D5:F3:E9:9E:29:D8:AB:F1:00:AD:
    93:60:61:11:45 cn=twca root certification authority,ou=root ca,o=taiwan-ca,
    c=tw, Jun 2, 2015, trustedCertEntry, Certificate fingerprint (SHA1): CF:9E:
    87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
    rootca, Oct 15, 2015, trustedCertEntry,
    Certificate fingerprint (SHA1): 57:7B:1E:D7:16:5D:5F:44:EB:79:AB:40:FA:98:49
    :DD:DF:4F:B5:F7 cn=microsec e-szigno root ca,ou=e-szigno ca,o=microsec ltd.,
    l=budapest,c=hu, Jun 2, 2015, trustedCertEntry,
    
  6. Repeat steps 1 through 5 on each machine.
  7. If you have any Windows machines in your SAS deployment, proceed to Add Your Certificates to the Windows CA Stores.