Problem Note 65400: SAS® Viya® deployments fail when the FIPS standard is enabled on a Microsoft Windows system
 |  |  |  |  |
The Federal Information Processing Standards (FIPS) define security and interoperability requirements for computer systems that are used by members of the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms, and it also sets requirements for key generation and for key management.
To determine whether the FIPS standard is enabled on a Windows system, take these steps:
- Open the Local Security Policy app and select Local Policies ► Security Options.
- Review the security option that is named System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. The Security Setting option is set to either Enabled or Disabled.
When the Security Setting option is Enabled, SAS® Viya® 3.5 deployments (Rev. 19w21 to 19w47) can fail on Windows systems.
After a deployment fails, the deploy-sas-vacas-date-timestamp.log file shows error information that is similar to the following:
MSI (s) (20:F4) [08:41:51:622]: Executing op: CustomActionSchedule(Action=AfterInstallMsiSave.CEDDC25F_C5D9_4E73_9785_6D2422A43DE4,ActionType=3073,Source=BinaryData,Target=AfterInstallMsiSave,CustomActionData=SOURCE=C:\ProgramData\SAS\Viya\etc\SASEventStreamProcessingEngine\default\esp-properties.yml;INSTALLDIR=C:\Program Files\SAS;UILevel=2;ProductCode={33DB5F06-7970-4B27-AD74-D355DC4ADF3D})
MSI (s) (20:68) [08:41:51:622]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI1C1.tmp, Entrypoint: AfterInstallMsiSave
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI1C1.tmp-\
SFXCA: Binding to CLR version v4.0.30319
Calling custom action CommonLibrary!CommonLibrary.CustomActions.CreateBackupFile.AfterInstallMsiSave
Couldn't backup previous file: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
at CommonLibrary.CustomActions.CreateBackupFile.AfterInstallMsiSave(Session session) in C:path\MsiBuildTool\msibuildtool_deploy\CommonLibrary\CustomActions\CreateBackupFile.cs:line 75
CustomAction AfterInstallMsiSave.CEDDC25F_C5D9_4E73_9785_6D2422A43DE4 returned actual error code 1603
MSI (s) (20:F4) [08:41:55:993]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (20:F4) [08:41:55:993]: User policy value 'DisableRollback' is 0
SAS Viya deployments on Windows use a Windows Installer (MSI) deployment model. Windows Installer packages use MSI files. A Microsoft merge module (MSM) is a special kind of Windows Installer database that contains the components that are needed to install a software bundle, like SAS Viya. An MSM cannot be installed alone. It must be merged into a standard MSI package during the creation of the installation. In order to support SAS Viya 3.5 deployments on FIPS-enabled systems, some of the SAS Viya 3.5 MSM and MSI files are updated in a hot fix. The table below lists the MSM and MSI files that are updated:
MSM MSI
--------------------------------------------
sascompsrvcfg sas-spre
sasbasecfg1 sas-spre
sasconnectcfg sas-connect
sastkcas sas-vacas
sasespbase sas-esp, sas-espcasvcf, sas-vacas
Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.
For more information about the effects of enabling the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting in Windows, see article 811833 on the Microsoft Support website.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya | Microsoft® Windows® for x64 | 3.5 | Viya | ||