We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Updating Managed Passwords

by SAS Employee CVitron on ‎05-25-2017 10:22 AM - edited 4 weeks ago by Community Manager (1,680 Views)

Need to update passwords in the SAS Intelligence Platform? No problem, as long as you follow a few important steps.


The SAS Platform includes a number of service accounts, both internal and external, needed by its various components. As part of administering the SAS Platform, the passwords for these service accounts (managed passwords) have to be periodically updated.


Updating Managed Passwords  


Before I discuss updating passwords, I want to remind you to take a full backup using the SAS Deployment Backup and Recovery tool. You can use the batch commands or the SAS Backup Manager interface in SAS Environment Manager, your choice.  


Now that you have a backup, let’s discuss updating passwords for the service accounts. The list of accounts will vary depending on exactly what software is installed and configured in your environment. Some examples of service accounts include:


  • SAS Administrator (sasadm@saspw)
  • SAS Trusted User (sastrust@saspw)
  • SAS General Servers (sassrv)
  • SAS Environment Manager User (sasevs@saspw)
  • accounts for the SAS Web Infrastructure Platform Data Server and databases


The best tool for the job of updating these service account passwords is the SAS Deployment Manager. It takes care of updating instances of passwords in a variety of locations: metadata, configuration files, databases, etc. The tool does not do all of the coordination for you. If you have multiple machines in your SAS Platform, you will need to run the SAS Deployment Manager on each machine while being mindful of a few key requirements.  


These requirements are laid out in the “Update a Managed Password” section in the SAS 9.4 Intelligence Platform: Security Administration Guide.  


The basic sequence for updating passwords is:


  1. Stop all SAS services on all machines.
  2. If you are updating a password for an external account (for example, sassrv), change that password in the external authentication provider (for example, host operating system).
  3. Start the SAS Metadata Server, the Web Infrastructure Platform Data Server, and any solution-specific data servers.
  4. Use the SAS Deployment Manager on each machine in the SAS Platform in this sequence: 
    1. the machine that hosts the Metadata Server
    2. the machine that hosts the Application Server with the Web Infrastructure Platform Data Server
    3. other machines hosting Application Servers
    4. the machine(s) hosting the middle tier servers
  5. Start the SAS Platform as you normally would.
  6. Validate that the passwords were successfully updated.

NOTE: These basic steps work for all accounts EXCEPT for sasevs@saspw. The sasevs@saspw account has special requirements.  


Of course, that’s just a basic outline. You’ll need to read through all of the steps in the “Update Managed Passwords” section in detail. Be sure to carefully read any “Notes” and in particular, this one:  


Note: The procedure to update the SAS Environment Manager identity password is different from the process detailed here. For more information, see SAS Environment Manager: User’s Guide.


This note is key. The sasevs@saspw account needs to be updated in a different sequence than prescribed for the other managed passwords. A quick look in the SAS Environment Manager: User’s Guide and we find the following steps:  


          Updating Passwords for SAS Environment Manager Metadata Identities To update the password for the sasevs@saspw

          account, follow these steps:


                  1. Stop SAS Environment Manager and all SAS Environment Manager agents on the system.

                  2. On the middle-tier machine, use the SAS Deployment Manager to change the password for the sasevs account.

                  3. Use the SAS Deployment Manager to update the sasevs password on the machines in the other tiers in the


                  4. Restart SAS Environment Manager and the SAS Environment Manager agents.


The important difference when updating the sasevs@saspw password is that you need to start on the machine hosting the SAS Environment Manager, typically referred to as the middle tier machine.  


Key Takeaways


  • You can update the sasevs@saspw password before all of the other passwords or after. I have not found that it makes a difference, but I have not tested every possible combination of software and architecture. Just be very careful when you are updating the other passwords and be sure to deselect the sasevs@saspw account in the Update Password task in the SAS Deployment Manager.
  • When you are updating sasevs@saspw, start with the machine hosting the SAS Environment Manager. When you are updating the other passwords, start with the machine hosting the SAS Metadata Server.
  • When the instructions say to start the SAS Web Infrastructure Platform Data Server and solution-specific data servers, I recommend using the sas.servers.pre script on the machine hosting the SAS Web Infrastructure Platform Data Server. If you fail to start the solution specific data servers, you will get an error when you try to update a passwords for those data servers. The error vary a bit in how it is presented but you would get a message indicating a failure to communicate with the data server in question either in the error dialog box or the log file generated.
  • It’s always a great idea to document the changes you’ve made and the steps you’ve followed for future reference.
  • Once you’ve validated that everything works, it’s not a bad idea to take another full backup, just in case.

  Hopefully this helps you understand a bit more about the process and be successful updating managed passwords.  

Your turn
Sign In!

Want to write an article? Sign in with your profile.

Looking for the Ask the Expert series? Find it in its new home: communities.sas.com/askexpert.