cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
PriitL
Obsidian | Level 7 PriitL
Obsidian | Level 7

password and encryption-key parameters - EnvironmentManager hq-server.conf file

Posted 10-13-2020 09:33 AM (1602 views)

Hi!

 

I currently have a passwords/passphrase renewal in progress.
In the server-5.8.0-EE/conf/hq-server.conf file there are three parameters that comes up with a question.

 

The first one is the "server.database-password" parameter which is for connecting to database and as the Deplyoment Wizard changed it by itself during password renewal process it works. So no problem with this one despite of fact that it is in java encrypted ENC() format and i don't know which passphrase was used to generate that. But i can live with that at the moment because at least it is renewed.

 

Now, the "server.keystore.password" and "server.encryption-key" are the problematic ones.

The "server.keystore.password" parameter is for server.keystore (java p12 certificate) file. If i want to change that i need to recreate a new p12 format certificate for EVM. But if i generate a new certificate i need to use an unencrypted password for this keystore in hq-server.conf file. So the first question is how can i generate ENC() format password for new certificate to use it as "server.keystore.password" parameter in server-5.8.0-EE/conf/hq-server.conf file?

At first i thought that maybe the second problematic parameter "server.encryption-key" is for "server.keystore.password" and "server.database-password" parameters as they are in java encrypted ENC format and the "server.encryption-key" is used as java encryption passphrase in SAS002 format. But.. no. At least with jasypt package i can't encrypt the hash that works for EVM service and decrypt for example "server.database-password" ENC format password with the passphrase (plain, of course) anything i can come to.

 

So the second question is that what for the "server.encryption-key" parameter is for and how can i change it? Are there any other parameter i have to change if i renew the "server.encryption-key" parameter?

I know that is still an old password as i can generate the same hash with Enterprise Guide from old password.

 

I also have deleted the record from eam_keystore from postgres database every time i change some parameter but still no luck.


Thanks!

0 Likes
Reply
4 REPLIES 4
Anand_V
Ammonite | Level 13 Anand_V
Ammonite | Level 13

Re: password and encryption-key parameters - EnvironmentManager hq-server.conf file

Posted 10-13-2020 11:08 AM (1563 views)  |   In reply to PriitL

I think you should engage support for this. Usually for the other Web Application servers SASServerX_X there is a secure file with the passphrase that is used to encode the passwords. I tried looking for some hyperic docs and could see some sections where the passphrase is generated randomly. I am not sure if that's the case for SAS EVM, but if it is then I don't know if you can figure that out any way. 

 

If server.encryption-key is SAS encrypted and you know which password it is, I think you can generate it yourself using PWENCODE? 

Reply
PriitL
Obsidian | Level 7 PriitL
Obsidian | Level 7

Re: password and encryption-key parameters - EnvironmentManager hq-server.conf file

Posted 10-14-2020 02:47 AM (1512 views)  |   In reply to Anand_V

Thanks for the reply.

 

To sum up, the currently working setup is:

server.keystore.password - currenlty for testing purposes plain text pw for java keystore (p12)

server.database-password - renewed password (changed by Deployment Manager wizard, ENC format)

server.encryption-key - SAS002 format old password 

 

Yes, i can pwencode a new "server.encryption-key" but as i change it, EVM server won't come up. So it means that it is using it somewhere else and not for java ENC format password as the "server.keystore.password" is plain text and "server.database-password" is renewed with password i don't know.

 

 

Thanks!

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: password and encryption-key parameters - EnvironmentManager hq-server.conf file

Posted 10-14-2020 09:13 AM (1479 views)  |   In reply to PriitL
I believe the server.encryption-key is the passphrase used to encode the passwords.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
PriitL
Obsidian | Level 7 PriitL
Obsidian | Level 7

Re: password and encryption-key parameters - EnvironmentManager hq-server.conf file

Posted 11-10-2020 07:47 AM (1412 views)  |   In reply to PriitL

For an update if anyone else also struggles with this kind of issue here's how it got solved.

 

The "server.encryption-key" parameter can't be changed without special tool. The problem is that EAM_MEASUREMENT.DSN table (@WebInfrastructurePlatformDataServer) contains some ENC encrypted records and can't be changed because probably there might be thousands of those records.

The only solution is to get in touch with support and they provide a java tool for it. As it may be version dependent i can't put it here.

 

Then the "server.encryption-key" value had to be renamed to "server.encryption-key-org" - this value will be read by the tool mentioned previously.

A new "server.encryption-key" must be generated with EG or similar (proc pwencode method=sas002 in="<the new password>"; run;) and also added to hq-server.conf file.

 

Next a new server.keystore.password and server.database-password had to be generated with jasypt tool like

./encrypt.sh password={sas002}xxxxx... input=<database-password/keystore-you-used-to-generate-java-keystore>

where "password" is the pwencoded value.

 

Note! It is case sensitive so sas002 and SAS002 are not the same.

Note2! Prefix {SAS002} itself is also a member of password so it must be included.

Note3! "server.keystore.password" and "server.database-password" must be encrypted or the tool provided won't work. 🙂

 

Next step would be to run the 

../java -jar jasypttool.jar

and it does the magic.

 

That's it. Maybe it is also possible without the jasypttool.jar tool manually or by some other script but.. i'm not sure. Maybe the jasypttool.jar decrypts the database values and re-encrypts again but why does it need server.keystore.password parameter it that case.. (server.database-password is for accessing the database).

 

 

Regards,

 

PL

Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • ‎10-13-2020 09:33 AM
  • 1603 views
  • 3 likes
  • 3 in conversation