BookmarkSubscribeRSS Feed
Obsidian | Level 7



I currently have a passwords/passphrase renewal in progress.
In the server-5.8.0-EE/conf/hq-server.conf file there are three parameters that comes up with a question.


The first one is the "server.database-password" parameter which is for connecting to database and as the Deplyoment Wizard changed it by itself during password renewal process it works. So no problem with this one despite of fact that it is in java encrypted ENC() format and i don't know which passphrase was used to generate that. But i can live with that at the moment because at least it is renewed.


Now, the "server.keystore.password" and "server.encryption-key" are the problematic ones.

The "server.keystore.password" parameter is for server.keystore (java p12 certificate) file. If i want to change that i need to recreate a new p12 format certificate for EVM. But if i generate a new certificate i need to use an unencrypted password for this keystore in hq-server.conf file. So the first question is how can i generate ENC() format password for new certificate to use it as "server.keystore.password" parameter in server-5.8.0-EE/conf/hq-server.conf file?

At first i thought that maybe the second problematic parameter "server.encryption-key" is for "server.keystore.password" and "server.database-password" parameters as they are in java encrypted ENC format and the "server.encryption-key" is used as java encryption passphrase in SAS002 format. But.. no. At least with jasypt package i can't encrypt the hash that works for EVM service and decrypt for example "server.database-password" ENC format password with the passphrase (plain, of course) anything i can come to.


So the second question is that what for the "server.encryption-key" parameter is for and how can i change it? Are there any other parameter i have to change if i renew the "server.encryption-key" parameter?

I know that is still an old password as i can generate the same hash with Enterprise Guide from old password.


I also have deleted the record from eam_keystore from postgres database every time i change some parameter but still no luck.


Ammonite | Level 13

I think you should engage support for this. Usually for the other Web Application servers SASServerX_X there is a secure file with the passphrase that is used to encode the passwords. I tried looking for some hyperic docs and could see some sections where the passphrase is generated randomly. I am not sure if that's the case for SAS EVM, but if it is then I don't know if you can figure that out any way. 


If server.encryption-key is SAS encrypted and you know which password it is, I think you can generate it yourself using PWENCODE? 

Obsidian | Level 7

Thanks for the reply.


To sum up, the currently working setup is:

server.keystore.password - currenlty for testing purposes plain text pw for java keystore (p12)

server.database-password - renewed password (changed by Deployment Manager wizard, ENC format)

server.encryption-key - SAS002 format old password 


Yes, i can pwencode a new "server.encryption-key" but as i change it, EVM server won't come up. So it means that it is using it somewhere else and not for java ENC format password as the "server.keystore.password" is plain text and "server.database-password" is renewed with password i don't know.




I believe the server.encryption-key is the passphrase used to encode the passwords.
Greg Wootton | Principal Systems Technical Support Engineer
Obsidian | Level 7

For an update if anyone else also struggles with this kind of issue here's how it got solved.


The "server.encryption-key" parameter can't be changed without special tool. The problem is that EAM_MEASUREMENT.DSN table (@WebInfrastructurePlatformDataServer) contains some ENC encrypted records and can't be changed because probably there might be thousands of those records.

The only solution is to get in touch with support and they provide a java tool for it. As it may be version dependent i can't put it here.


Then the "server.encryption-key" value had to be renamed to "server.encryption-key-org" - this value will be read by the tool mentioned previously.

A new "server.encryption-key" must be generated with EG or similar (proc pwencode method=sas002 in="<the new password>"; run;) and also added to hq-server.conf file.


Next a new server.keystore.password and server.database-password had to be generated with jasypt tool like

./ password={sas002}xxxxx... input=<database-password/keystore-you-used-to-generate-java-keystore>

where "password" is the pwencoded value.


Note! It is case sensitive so sas002 and SAS002 are not the same.

Note2! Prefix {SAS002} itself is also a member of password so it must be included.

Note3! "server.keystore.password" and "server.database-password" must be encrypted or the tool provided won't work. 🙂


Next step would be to run the 

../java -jar jasypttool.jar

and it does the magic.


That's it. Maybe it is also possible without the jasypttool.jar tool manually or by some other script but.. i'm not sure. Maybe the jasypttool.jar decrypts the database values and re-encrypts again but why does it need server.keystore.password parameter it that case.. (server.database-password is for accessing the database).






suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 3 in conversation