Update a Managed Password

Passwords for a few service accounts require special coordination because these passwords are included in configuration files. To update these passwords, use the SAS Deployment Manager. Here are some key points about using the SAS Deployment Manager to update passwords:
  • The utility updates both configuration files and metadata. You can update multiple passwords in a single pass.
  • You must run the utility on each machine that hosts affected components. If you have servers on multiple machines, run the utility on each host, beginning with the metadata server machine.
  • It might be necessary to update the same password on multiple hosts. For example, if you update the password for the SAS Trusted User on the metadata server's host, you must also do the same update on the middle-tier machine.
  • Be sure to supply the same new password for an account on all machines on which you update that account.
  • If you enter a plaintext password into the utility, the utility encodes that password using SAS proprietary encoding (SAS002).
  • Passwords for any service accounts that you introduce in SAS Management Console aren't managed by this tool. For example, if you designate a new login as the launch credential for a server, that launch credential isn't automatically added to the list of accounts that the SAS Deployment Manager can update. Server launch credentials aren't added to a configuration file, so you can update any such passwords from the owning identity's Accounts tab in SAS Management Console.
  • You can automate running the deployment manager when you need to perform the same configuration action on many machines in your deployment. The deployment manager uses the same record and playback mechanism as the SAS Deployment Wizard to perform a non-interactive, silent configuration.
    CAUTION:
    If you choose to use the deployment manager's record and playback mechanism to update passwords, passwords are written to the response file.
    For greater security, delete the response file (or remove the passwords from the response file) when you are finished. A response file is present only if you use the record and playback mechanism, instead of completing the task manually as documented in the preceding steps.
  • Each run of this utility generates an UpdatePasswords.html file that documents the updates that the utility performed and provides instructions for any required post-update activities.
To update a password with SAS Deployment Manager:
  1. (Optional) If you are updating the password for an internal account, review the server-level password policies for internal accounts. Also, check each internal account's properties to determine whether any more (or less) stringent requirements apply.
    Note: In particular, make sure that the account is not subject to a forced password change after the password is reset (either set the password to never expire or change the server-level policy for pre-expired passwords).
    Note: By default policy, internal passwords must be at least six characters and don't have to include mixed case or numbers. The five most recent passwords for an account can't be reused for that account.
  2. (Optional) If you have licensed SAS/SECURE and you want to use stronger encryption than SAS002 (SASProprietary), use the PWENCODE procedure to prepare an AES-encrypted version of each new password. For example: 
    proc pwencode in='PWsassrv1' method=sas003;
run;
    The encrypted password is written to your SAS log. When you use method=sas003, the first part of the password is {sas003}.
  3. Stop all SAS servers and services. Make any necessary adjustments to the state of your third-party Web components, as explained in the following table:
    State of Web Components for a Password Update
    Product
    Component
    State
    WebSphere
    dmgr (the IBM deployment manager server)
    Running
    nodeagent (the IBM managed node server)
    Running
    Web application servers (for example, SASServer1)
    It doesn't matter
    WebLogic
    Node manager
    Running
    ManagedWebLogic server
    Stopped
    JBoss
    Web application servers (for example, SASServer1)
    Stopped
  4. If you are updating the password for an external account (for example, sassrv), change that password in your external authentication provider (for example, in the host operating system).
  5. Restart the metadata server. Do not restart other servers or services.
  6. On the metadata server's host, navigate to your equivalent of SAS-installation-directory/SASDeploymentManager/9.3/ and launch sasdm.exe (Windows), sasdm.sh (UNIX), or sasdm.rexx (z/OS).
    Note: On Windows, you must be a Windows administrator of the current machine in order to update managed passwords.
  7. In the SAS Deployment Manager, select the update passwords task, select a configuration directory on the current machine, and log on as an unrestricted user (for example, sasadm@saspw).
  8. Perform the update. If you need detailed assistance with the user interface, see the Help within the utility.
  9. If you have servers on multiple machines, repeat steps 6–8 on each server host as applicable for the accounts that you are updating. Remember that you might have to update the same account on multiple hosts.
    Note: Not all accounts are used on all hosts. If the accounts that you are updating aren't on a particular host, proceed to the next host.
  10. Restart all servers and services, and complete any additional post-update tasks as specified in the generated UpdatePasswords.html file.
    Note: Because of dependencies, it is important to start servers and services in a particular order. In particular, you should start the metadata server first and start Remote Services (the SAS Services Application) before you start the Web servers. For a complete discussion, see the chapter "Operating Your Servers" in SAS Intelligence Platform: System Administration Guide.
Copyright © SAS Institute Inc. All rights reserved.