topic Re: sasadm@saspw password recovery in Administration and Deployment

sasadm@saspw password recovery

japsas100 — Thu, 04 Mar 2021 21:05:26 GMT

Hi ,

Can we decrypt the sasadm@saspw encoded password with any tool? I know SAS support has tool to decrypt the password with some proprietary algorithm tool. However due to security issue we can't send encoded password to sas for decrypt .

We also don't want to reset the password.

Any advise please.

Re: sasadm@saspw password recovery

gwootton — Thu, 04 Mar 2021 21:36:40 GMT

Why do you want to decrypt it?

If the password has been lost/forgotten, you should reset it rather than trying to recover it.

Re: sasadm@saspw password recovery

SASKiwi — Thu, 04 Mar 2021 21:40:54 GMT

How about arranging a secure WebEx session with SAS Tech Support. If you allow remote access to your session they can copy and paste the encoded password into their own session for decrypting. This sounds like a pretty secure solution to me.

If you could decrypt it with any tool then it isn't going to be secure at all.

Re: sasadm@saspw password recovery

japsas100 — Thu, 04 Mar 2021 21:41:07 GMT

@gwootton

If we want reset then it time consuming process it include testing in lower env before making any changes in prod.

We need the decrypt password to launch the sas amangement console and deployment manager to reset the sas internal account passowrd.

Re: sasadm@saspw password recovery

japsas100 — Thu, 04 Mar 2021 21:44:57 GMT

@SASKiwi

I was thinking about ftp and webex option. However management not allowing to sharing password with these option.

Is there any way to launch smc/dm with encoded passowrd?

Re: sasadm@saspw password recovery

gwootton — Thu, 04 Mar 2021 21:45:25 GMT

You can set another user (like your own account) as unrestricted in Metadata by adding them to the adminUsers.txt file in the Metadata Server directory:

Unlock an Internal Account
https://go.documentation.sas.com/?cdcId=bicdc&cdcVersion=9.4&docsetId=bisecag&docsetTarget=p135ufuc50p223n1ve02cy1a69u3.htm&locale=en

I believe SAS Deployment Manager will accept the encoded password for the sasadm@saspw account.

Re: sasadm@saspw password recovery

japsas100 — Thu, 04 Mar 2021 21:48:26 GMT

@gwootton

Can we add any other unrestricted ID without recycle the services?

Re: sasadm@saspw password recovery

gwootton — Thu, 04 Mar 2021 21:50:18 GMT

The Metadata Server reads the adminUsers.txt file when it starts, so the Metadata Server would need to be restarted for the addition to take effect.

Re: sasadm@saspw password recovery

japsas100 — Thu, 04 Mar 2021 21:59:21 GMT

Thanks @gwootton

ok, as per the documentation, its mentioned to stop/start all the services.

"If you do not know the password for the sasadm@saspw account, you will first need to reset it. Follow these steps:

Stop all SAS services"

If we add the another user in adminUsers.txt file, Do we need to restart only metadata services? If yes can we reset the sasadm@saspw password without stop/start all the services including metadata?

Re: sasadm@saspw password recovery

gwootton — Thu, 04 Mar 2021 22:05:38 GMT

Restarting the Metadata Server while other processes that depend on it are running can cause issues.

Re: sasadm@saspw password recovery

japsas100 — Thu, 04 Mar 2021 22:10:45 GMT

@gwootton

If no jobs are running at a time, can we reset the sasadm@saspw password by logging with another user in smc with only stop/start metadata services?

Re: sasadm@saspw password recovery

SASKiwi — Thu, 04 Mar 2021 23:41:55 GMT

@japsas100 - I always invoke SMC using IWA so no password is required.

Re: sasadm@saspw password recovery

japsas100 — Fri, 05 Mar 2021 02:35:16 GMT

@SASKiwi

How we can setup to access the smc using IWA ?

Re: sasadm@saspw password recovery

SASKiwi — Fri, 05 Mar 2021 03:14:29 GMT

@japsas100 - Tick the IWA box in the connection profile:

Re: sasadm@saspw password recovery

AnandVyas — Fri, 05 Mar 2021 05:17:14 GMT

Hi @japsas100

Usually when you launch SMC and create a profile to make a connection to metadata a SAS profile file is created under /home/sas/.SASAppData/MetadataServerProfiles with the name you have given during profile creation ( example: SASAdmin.swa).

If your site has the metadata option save local password set to yes this file also stores the encrypted password of the sasadm account. If it's there you won't be asked to enter password during the next launch of SMC. I think you can use this file to launch SMC using encoded password. I haven't tried it but you can give it a shot!

Re: sasadm@saspw password recovery

gwootton — Fri, 05 Mar 2021 13:36:06 GMT

User jobs are not the only processes that depend on the Metadata Server. The compute tier services like the Object Spawner and middle tier services like the web application servers establish connections to Metadata as well.

Re: sasadm@saspw password recovery

japsas100 — Sat, 06 Mar 2021 20:46:50 GMT

@SASKiwi

I can't see the IWA option in SAS 9.2 SMC.

Re: sasadm@saspw password recovery

SASKiwi — Sun, 07 Mar 2021 00:31:54 GMT

@japsas100 - Could be because you are running with a SAS linux server or it didn't become available until a later SAS release.

Re: sasadm@saspw password recovery

japsas100 — Sun, 07 Mar 2021 17:37:32 GMT

Thanks @AnandVyas

I have added the sasadm@saspw encrypted password to the /home/sas/.SASAppData/MetadataServerProfiles and its working fine. Thanks for the suggestion.

Is there any way to launch SAS Deployment manager by adding the encrypted password same as I did for sas management console.

Another question:

if we already know the current sasadm@saspw password? Do we need to stop/start any services after changing the password with smc/sdm?

Re: sasadm@saspw password recovery

AnandVyas — Mon, 08 Mar 2021 09:43:39 GMT

Hi @japsas100

Every time you launch SAS Deployment Manager or SAS Deployment Wizard, different options you provide as part of the wizard are stored into a response file and then used to run action/task you have selected. While providing values for these options, few steps are also verified in the background.

For example when you perform a change and enter password to metadata server, connection to metadata is verified.

Now that you don't know what the real password is you can actually run the wizard in record mode to generate a properties file and use that file to perform the task you wish to. Now the catch is in record mode even though the task isn't actually performed you will still be asked to enter the password and it will be validated so either you will have to get a sample file from your non-prod environment or seek for assistance from support.

For the second Q: After changing any value in the configuration file which is read during service startup you will always have to restart services. Mostly during internal passwords, sassrv etc.