In SAS^® 9.4M8 (TS1M8), a key exchange error might occur when using ENCRYPTFIPS encryption. This error typically occurs during SAS^® Metadata Server connection attempts via SAS^® Deployment Manager.

When you upgrade SAS to SAS 9.4M8 or install a hot fix that requires a middle-tier rebuild, SAS Metadata Server might contain the following warning when you attempt to connect to it:

In addition, SAS Metadata Server logs might contain the following error:

ERROR [00001195] :sas - Cannot negotiate the encryption algorithm.

In the SAS Deployment Manager log file (located by default at $HOME/.SASAppData/SASDeploymentWizard/SDM*.log), a warning similar to the following might occur:

WARNING: Error testing connection to the metadata server: An exception was thrown during the encryption key exchange.

   Host: <your host>

   Port: 8561

   User: sasadm@saspw

<Date timestamp> com.sas.ssn.Logging logStackTrace

SEVERE: com.sas.metadata.remote.MdException: An exception was thrown during the encryption key exchange.

com.sas.metadata.remote.MdOMRConnectionImpl.makeConnection
(MdOMRConnectionImpl.java:1385)

Cause

This is a known issue with SAS 9.4M8 that occurs when ENCRYPTFIPS encryption is enabled. The error occurs during the encryption key exchange process when SAS Deployment Manager attempts to connect to SAS Metadata Server.

Workaround

To circumvent this issue, complete the following steps:

1. Back up the existing setup.jar files in the following locations:
   • <SAS Software Depot>/products/deploywiz__94594__prt__xx__sp0__1/deploywiz
   • <SASHOME>/SASDeploymentManager/9.4/products/deploywiz__94596__prt__
     xx__sp0__1/deploywiz
2. Replace the setup.jar in both locations with the following fixed version after extracting it: setup.jar. 

Note: Ensure that the backups are stored securely in case a rollback is needed.

This issue also affects SAS^® Deployment Wizard during any task that requires a connection to SAS Metadata Server. For SAS Deployment Manager, you should use the replacement setup.jar to update the file in the directory:

<SASHome>/SASDeploymentManager/9.4/products/<deploywiz_sku>/deploywiz

You should also check in the <DEPOT>/products/deploywiz__94594__prt__xx__sp0__1/deploywiz.ini file to ensure that the correct version of "securejava" is used.

The corrected lines for Linux x86-64 (LAX) should read as follows:

[lax]
copy1=setup.dat
copy2=<DEPLOYWIZ_PRT_PKG>/deploywiz.sh
copy3=<DEPLOYWIZ_PRT_PKG>/deploywiz.ini
copy4=<DEPLOYWIZ_PRT_PKG>/deploywiz
copy5=products/securejava__94130__prt__xx__sp0__1/sas.rutil.jar
copy6=products/securejava__94130__prt__xx__sp0__1/sas.rutil.nls.jar
copy7=products/securejava__94130__prt__xx__sp0__1/sastpj.rutil.jar
jre=<PRIVATEJRE_LAX_PKG>/jre_zulu_LAX_11.0.15.tgz
launch=<DEPLOYWIZ_PRT_PKG>/deploywiz.sh

launchercmd=../../<PRIVATEJRE_LAX_PKG>/jre/bin/java
launcherargs=-Xmx2048M -jar deploywiz/setup.jar

Older ship events for SAS 9.4M8 will have 94120 as the version for securejava instead of 94130. Depending on the ship event of the Software Depot, the corrected values might already be included. Make the updates to each operating section listed in the deploywiz.ini file.

Additional Notes

• This fix is specific to SAS 9.4M8 and ENCRYPTFIPS encryption.
• No changes to configuration files are required beyond replacing the JAR.
• SAS recommends that you restart SAS Deployment Manager after the replacement.
• The updated setup.jar file file will be included in new software orders beginning with 23w25.