62345 - A SAS® Visual Investigator deployment fails at the Search Guard step after the distribute-httpd-certs playbook runs

Problem Note 62345: A SAS® Visual Investigator deployment fails at the Search Guard step after the distribute-httpd-certs playbook runs

As part of a SAS Visual Investigator deployment, you run the distribute-httpd-certs playbook to distribute certificates and update keystores. After this action, you might encounter an error in the Elasticsearch log that is similar to the following:

[ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [-M4z0qW] SSL Problem Received

fatal alert: certificate_unknown

To work around this issue, you must regenerate the Elasticsearch keystores for both the client and administrator:

Generate a truststore.

Back up the following files:
- /opt/sas/viya/config/etc/elasticsearch/default/keys/searchguard/searchguard-key- admin.jks
- /opt/sas/viya/config/etc/elasticsearch/default/keys/searchguard/searchguard-key- client.jks
Then move these files to a location that is different from their original location.

Identify the server and port where Consul is located.

To regenerate the keystores with the new truststore, issue the following two crypto-management requests (each one on its own line):

/opt/sas/viya/home/SASSecurityCertificateFramework/bin/sas-crypto-management

req-vault-cert --common-name $(hostname -f)  --vault-addr

https://<host>:<port> --san-ip   $(hostname -i) --san-dns

$(hostname -f) --san-dns localhost --vault-cafile

/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pe

m --vault-token

/opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/searchguard/defa

ult/vault.token --out-crt

/opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/elasticsearch/s

earchguard-cert-admin.jks  --out-form jks --out-key

/opt/sas/viya/config/etc/elasticsearch/default/keys/searchguard/searchguard-key-

admin.jks

/opt/sas/viya/home/SASSecurityCertificateFramework/bin/sas-crypto-management

req-vault-cert --common-name $(hostname -f).client  --vault-addr

https://<host>:<port> --san-ip   $(hostname -i) --san-dns

$(hostname -f) --san-dns localhost --vault-cafile

/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pe

m --vault-token

/opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/searchguard/defa

ult/vault.token --out-crt

/opt/sas/viya/config/etc/SASSecurityCertificateFramework/private/elasticsearch/s

earchguard-cert-admin.jks  --out-form jks --out-key

/opt/sas/viya/config/etc/elasticsearch/default/keys/searchguard/searchguard-key-

client.jks

Use the following command to stop the Elasticsearch node:
sudo service sas-viya-svi-elasticsearch-default stop

Use the following command to restart the Elasticsearch node:
sudo service sas-viya-svi-elasticsearch-default start

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
			Reported	Fixed*	Reported	Fixed*
SAS System	SAS Visual Investigator	Linux for x64	10.3.1	10.6	Viya	Viya

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	high

Date Modified:	2018-05-23 11:42:29
Date Created:	2018-05-21 15:56:56

Support

Problem Note 62345: A SAS® Visual Investigator deployment fails at the Search Guard step after the distribute-httpd-certs playbook runs

Operating System and Release Information