BookmarkSubscribeRSS Feed

Updating Managed Passwords

Started ‎05-25-2017 by
Modified ‎10-26-2017 by
Views 17,214

Need to update passwords in the SAS Intelligence Platform? No problem, as long as you follow a few important steps.


The SAS Platform includes a number of service accounts, both internal and external, needed by its various components. As part of administering the SAS Platform, the passwords for these service accounts (managed passwords) have to be periodically updated.


Updating Managed Passwords  


Before I discuss updating passwords, I want to remind you to take a full backup using the SAS Deployment Backup and Recovery tool. You can use the batch commands or the SAS Backup Manager interface in SAS Environment Manager, your choice.  


Now that you have a backup, let’s discuss updating passwords for the service accounts. The list of accounts will vary depending on exactly what software is installed and configured in your environment. Some examples of service accounts include:


  • SAS Administrator (sasadm@saspw)
  • SAS Trusted User (sastrust@saspw)
  • SAS General Servers (sassrv)
  • SAS Environment Manager User (sasevs@saspw)
  • accounts for the SAS Web Infrastructure Platform Data Server and databases


The best tool for the job of updating these service account passwords is the SAS Deployment Manager. It takes care of updating instances of passwords in a variety of locations: metadata, configuration files, databases, etc. The tool does not do all of the coordination for you. If you have multiple machines in your SAS Platform, you will need to run the SAS Deployment Manager on each machine while being mindful of a few key requirements.  


These requirements are laid out in the “Update a Managed Password” section in the SAS 9.4 Intelligence Platform: Security Administration Guide.  


The basic sequence for updating passwords is:


  1. Stop all SAS services on all machines.
  2. If you are updating a password for an external account (for example, sassrv), change that password in the external authentication provider (for example, host operating system).
  3. Start the SAS Metadata Server, the Web Infrastructure Platform Data Server, and any solution-specific data servers.
  4. Use the SAS Deployment Manager on each machine in the SAS Platform in this sequence: 
    1. the machine that hosts the Metadata Server
    2. the machine that hosts the Application Server with the Web Infrastructure Platform Data Server
    3. other machines hosting Application Servers
    4. the machine(s) hosting the middle tier servers
  5. Start the SAS Platform as you normally would.
  6. Validate that the passwords were successfully updated.

NOTE: These basic steps work for all accounts EXCEPT for sasevs@saspw. The sasevs@saspw account has special requirements.  


Of course, that’s just a basic outline. You’ll need to read through all of the steps in the “Update Managed Passwords” section in detail. Be sure to carefully read any “Notes” and in particular, this one:  


Note: The procedure to update the SAS Environment Manager identity password is different from the process detailed here. For more information, see SAS Environment Manager: User’s Guide.


This note is key. The sasevs@saspw account needs to be updated in a different sequence than prescribed for the other managed passwords. A quick look in the SAS Environment Manager: User’s Guide and we find the following steps:  


          Updating Passwords for SAS Environment Manager Metadata Identities To update the password for the sasevs@saspw

          account, follow these steps:


                  1. Stop SAS Environment Manager and all SAS Environment Manager agents on the system.

                  2. On the middle-tier machine, use the SAS Deployment Manager to change the password for the sasevs account.

                  3. Use the SAS Deployment Manager to update the sasevs password on the machines in the other tiers in the


                  4. Restart SAS Environment Manager and the SAS Environment Manager agents.


The important difference when updating the sasevs@saspw password is that you need to start on the machine hosting the SAS Environment Manager, typically referred to as the middle tier machine.  


Key Takeaways


  • You can update the sasevs@saspw password before all of the other passwords or after. I have not found that it makes a difference, but I have not tested every possible combination of software and architecture. Just be very careful when you are updating the other passwords and be sure to deselect the sasevs@saspw account in the Update Password task in the SAS Deployment Manager.
  • When you are updating sasevs@saspw, start with the machine hosting the SAS Environment Manager. When you are updating the other passwords, start with the machine hosting the SAS Metadata Server.
  • When the instructions say to start the SAS Web Infrastructure Platform Data Server and solution-specific data servers, I recommend using the sas.servers.pre script on the machine hosting the SAS Web Infrastructure Platform Data Server. If you fail to start the solution specific data servers, you will get an error when you try to update a passwords for those data servers. The error vary a bit in how it is presented but you would get a message indicating a failure to communicate with the data server in question either in the error dialog box or the log file generated.
  • It’s always a great idea to document the changes you’ve made and the steps you’ve followed for future reference.
  • Once you’ve validated that everything works, it’s not a bad idea to take another full backup, just in case.

  Hopefully this helps you understand a bit more about the process and be successful updating managed passwords.  


Apart from the above changes through deployment manager there are certain places we should manually update the password of sasevs

password  and it will be encrypted and  stored in the located in the SASConfig94/Lev1/Web/SASEVM/agent/conf location.


Follow the  SAS notes to get it done.

Do we have to do the environment manager properties change in all server where ever Environment manager agent is running?

Yes, you need to update the sasevs@saspw password on every machine that has the Environment Manager Agent but only after you update the sasevs@saspw password on the machine running the Environment Manager Server.

I updated password after completed on env server. so do I have to change and in all servers too as i am getting error in metadata server that password is locked. 



2021-04-19T19:10:31,214 WARN  [00229400] :sas - Access to this account ("sasevs") is locked out due to excessive log on failure


2021-04-19T19:10:31,214 WARN  [00229400] :sas - New client connection (9908) rejected from server port 8561 for user sasevs@saspw. Peer IP address and port are [::ffff:]:33816 for APPNAME=Logon Manager 9.4.

2021-04-19T19:10:31,214 INFO  [00229400] :sas - Client connection 9908 closed.

2021-04-19T19:10:31,379 WARN  [00229406] :sas - Access to this account ("sasevs") is locked out due to excessive log on failures.

You should not need to update those properties if you updated all of the passwords in the correct sequence. I recommend opening a track with SAS Technical Support to resolve your issue.

I couldn't get the link for "Updating a Managed Password" in this article to work, but below is a working link (for now)


Thank you Mike for sharing an updated link to the documentation.

Looks like that pesky documentation link has changed again. "Updating a Managed Password":

Version history
Last update:
‎10-26-2017 07:50 AM
Updated by:


Available on demand!

Missed SAS Innovate Las Vegas? Watch all the action for free! View the keynotes, general sessions and 22 breakouts on demand.


Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags