Usage Note 63812: SAS® Infrastructure Data Server allows non-compliant and deprecated ciphers
 |  |  |  |
Connections made to the SAS Infrastructure Data Server (the PostgreSQL database) use network encryption. The current list of accepted ciphers includes deprecated and non-compliant ciphers.
If your company requires the use of more current encryption methods, you can manually modify the PostgreSQL configuration file to update the ciphers that are accepted.
Use these instructions to manually update the accepted ciphers on Linux and Microsoft Windows systems.
Linux Instructions
For each data node in the PostgreSQL cluster, do the following:
- Stop the consul-template service for the postgresql.conf file by executing the following commands using a sudoer account:
- cd /etc/init.d
- sudo ./sas-viya-sasdatasvrc-<cluster-name>-<node-name>-ct-postgresql stop
- Here is an example: sudo ./sas-viya-sasdatasvrc-postgres-node0-ct-postgresql stop
- Update the postgresql.conf file:
- Execute the following commands as the sas user:
- cd /opt/sas/viya/config/data/sasdatasvrc/<cluster-name>/<node-name>
- Here is an example: cd /opt/sas/viya/config/data/sasdatasvrc/postgres/node0
- cp postgresql.conf postgresql.conf.bk
- vi postgresql.conf
- cd /opt/sas/viya/config/data/sasdatasvrc/<cluster-name>/<node-name>
- Add the following entries at the bottom of the postgresql.conf file and save the file:
- Execute the following commands as the sas user:
ssl_ciphers = 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256' # allowed SSL ciphers
ssl_prefer_server_ciphers = on
- Use the diff command to compare files to validate that the changes were made:
- diff postgresql.conf postgresql.conf.bk
- Regenerate the consul-template file for the updated postgresql.conf file by executing the following commands as the sas user:
- source /opt/sas/viya/home/libexec/sasdatasvrc/script/sds_set_env_variable.sh /opt/sas/viya/config/etc/sasdatasvrc/<cluster-name>/<node-name>/sds_env_var.sh
- Here is an example: source /opt/sas/viya/home/libexec/sasdatasvrc/script/sds_set_env_variable.sh /opt/sas/viya/config/etc/sasdatasvrc/postgres/node0/sds_env_var.sh
- /opt/sas/viya/home/libexec/sasdatasvrc/script/consul_update_conf_file.sh /opt/sas/viya/config/data/sasdatasvrc/<cluster-name>/<node-name>/postgresql.conf
- Here is an example: /opt/sas/viya/home/libexec/sasdatasvrc/script/consul_update_conf_file.sh /opt/sas/viya/config/data/sasdatasvrc/postgres/node0/postgresql.conf
- source /opt/sas/viya/home/libexec/sasdatasvrc/script/sds_set_env_variable.sh /opt/sas/viya/config/etc/sasdatasvrc/<cluster-name>/<node-name>/sds_env_var.sh
- Start the consul-template service for the postgresql.conf file by executing the following commands with a sudoer account:
- cd /etc/init.d
- sudo ./sas-viya-sasdatasvrc-<cluster-name>-<node-name>-ct-postgresql start
- Here is an example: sudo ./sas-viya-sasdatasvrc-postgres-node0-ct-postgresql start
- Complete steps 1 - 4 for all data nodes for the cluster.
- Restart the cluster in order to make the new setting effective:
- Log on to the PGPool host.
- Execute the following commands using a sudoer account:
- cd /etc/init.d
- sudo ./sas-viya-sasdatasvrc-<cluster-name> restart
- Here is an example: sudo ./sas-viya-sasdatasvrc-postgres restart
Windows Instructions
- Stop the Windows service named SAS Infrastructure Data Server - Postgres - Datanode0.
- Update the postgresql.conf file:
- Using Windows Explorer, go to C:\ProgramData\SAS\Viya\data\sasdatasvrc\<cluster-name>\node0.
- Here is an example: C:\ProgramData\SAS\Viya\data\sasdatasvrc\postgres\node0
- Copy the postgresql.conf file to the postgresql.conf.bk folder.
- Edit the postgresql.conf file as an administrator, add the following, and save.
Note: You might need to use PowerShell to complete this step.
- Using Windows Explorer, go to C:\ProgramData\SAS\Viya\data\sasdatasvrc\<cluster-name>\node0.
ssl_ciphers = 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256' # allowed SSL ciphers
ssl_prefer_server_ciphers = on
- Confirm the changes. You can do this with a command-line tool such as fc.exe:
- Here is an example: fc.exe postgresql.conf postgresql.conf.bk
- Start the Windows service named SAS Infrastructure Data Server - Postgres - Datanode0.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya | Microsoft® Windows® for x64 | 3.4 | 3.5 | ||
| Microsoft Windows 8 Enterprise 32-bit | 3.4 | 3.5 | ||||
| Microsoft Windows 8 Enterprise x64 | 3.4 | 3.5 | ||||
| Microsoft Windows 8 Pro 32-bit | 3.4 | 3.5 | ||||
| Microsoft Windows 8 Pro x64 | 3.4 | 3.5 | ||||
| Microsoft Windows 8.1 Enterprise 32-bit | 3.4 | 3.5 | ||||
| Microsoft Windows 8.1 Enterprise x64 | 3.4 | 3.5 | ||||
| Microsoft Windows 8.1 Pro 32-bit | 3.4 | 3.5 | ||||
| Microsoft Windows 8.1 Pro x64 | 3.4 | 3.5 | ||||
| Microsoft Windows 10 | 3.4 | 3.5 | ||||
| Microsoft Windows 95/98 | 3.4 | 3.5 | ||||
| Microsoft Windows 2000 Advanced Server | 3.4 | 3.5 | ||||
| Microsoft Windows 2000 Datacenter Server | 3.4 | 3.5 | ||||
| Microsoft Windows 2000 Server | 3.4 | 3.5 | ||||
| Microsoft Windows 2000 Professional | 3.4 | 3.5 | ||||
| Microsoft Windows NT Workstation | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2003 Datacenter Edition | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2003 Enterprise Edition | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2003 Standard Edition | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2003 for x64 | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2008 | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2008 R2 | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2008 for x64 | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2012 Datacenter | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2012 R2 Datacenter | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2012 R2 Std | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2012 Std | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2016 | 3.4 | 3.5 | ||||
| Microsoft Windows Server 2019 | 3.4 | 3.5 | ||||
| Microsoft Windows XP Professional | 3.4 | 3.5 | ||||
| Windows 7 Enterprise 32 bit | 3.4 | 3.5 | ||||
| Windows 7 Enterprise x64 | 3.4 | 3.5 | ||||
| Windows 7 Home Premium 32 bit | 3.4 | 3.5 | ||||
| Windows 7 Home Premium x64 | 3.4 | 3.5 | ||||
| Windows 7 Professional 32 bit | 3.4 | 3.5 | ||||
| Windows 7 Professional x64 | 3.4 | 3.5 | ||||
| Windows 7 Ultimate 32 bit | 3.4 | 3.5 | ||||
| Windows 7 Ultimate x64 | 3.4 | 3.5 | ||||
| Windows Millennium Edition (Me) | 3.4 | 3.5 | ||||
| Windows Vista | 3.4 | 3.5 | ||||
| Windows Vista for x64 | 3.4 | 3.5 | ||||
| Linux for x64 | 3.4 | 3.5 | ||||
| Type: | Usage Note |
| Priority: | |
| Topic: | Data Management ==> Data Sources ==> External Databases ==> PostgreSQL |
| Date Modified: | 2019-04-01 12:33:56 |
| Date Created: | 2019-03-08 10:14:30 |