Connecting SAS 9.4 to SAS Viya: Resolving SSL Certificate Import Errors

Integrating an existing SAS^© 9.4 environment (e.g., 9.4M5) with a SAS^© Viya^™ platform (like version 3.3) is a crucial step to enable users to submit code to the CAS (Cloud Analytic Services) server from classic interfaces like SAS^© Enterprise Guide.

However, configuring the SAS^© 9.4 Compute Server for secure communication with CAS can be tricky, especially during the security certificate import step. It is common to encounter path or format validation errors when using the SAS^© Deployment Manager.

This article details the procedure to bypass common errors such as "Failed to validate the certificate path" or "Certificate file is not Base-64 encoded".

Connecting SAS 9.4 to SAS Viya: Resolving SSL Certificate Import Errors -

The Problem

Standard documentation often suggests simply copying the certificate file (like vault-sas^©-service-ca.crt or trustedcerts.pem) from the Viya^™ server to the SAS^© 9.4 server and importing it.

However, this direct method often fails with the SAS^© Deployment Manager for two reasons:

The file format: The raw file may contain comments or metadata that the import tool cannot parse.
The trust chain: The order of the certificates (Root and Intermediate) is strict and must be respected for the validation to succeed.

The Solution: Create a Clean Certificate File

To successfully import the certificate, you must not use the raw file as is. It is necessary to manually create a new .pem file containing only the required blocks, in the correct order.

Here is the step-by-step procedure:

1. Retrieve the source file

On your SAS^© Viya^™ server, locate the trusted certificates file. It is usually found here: /opt/sas^©/viya^™/config/etc/SASSecurityCertificateFramework/cacerts/trustedcerts.pem

2. Prepare the new import file

Open this file and create a new, blank text file (which you could name, for example, viya^™_import.pem).

You must copy only the two base-64 encoded text blocks corresponding to the following certificates:

SAS^© VIYA^™ Intermediate CA
SAS^© VIYA^™ Root CA

Pay attention to the order! The SAS^© Deployment Manager requires the intermediate certificate to be placed before the root certificate. The file must not contain any comments, only the tags and the code.

The structure of your new file should look exactly like this:

New BufferRO

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

3. Import via the Deployment Manager

Select the option to add certificates to the Trusted CA Bundle.
Point to your viya^™_import.pem file.

The import should now complete without any validation errors. Once this security step is passed, you can proceed to configure authentication (using an .authinfo or .netrc file) to finalize the connection between your environments.

Aviso importante

Los códigos y ejemplos proporcionados en WeAreCAS.eu son con fines educativos. Es imperativo no copiarlos y pegarlos ciegamente en sus entornos de producción. El mejor enfoque es comprender la lógica antes de aplicarla. Recomendamos encarecidamente probar estos scripts en un entorno de prueba (Sandbox/Dev). WeAreCAS no acepta ninguna responsabilidad por cualquier impacto o pérdida de datos en sus sistemas.

Volver a la lista de artículos