Previous Page | Next Page

Security Tasks

Manage Passwords

Password Policies

Password Updates for Service Accounts

Password Updates for Users and Groups

Password Policies

Each authentication provider sets password policies for accounts in that provider. For example, the password expiration policy for a host account is determined by that host. For the SAS internal authentication provider, you can set server-level and per-account policies such as password strength requirements and password expiration periods. See How to Change Internal Account Policies.

In the initial configuration, users can choose to store their credentials in their client-side connection profiles. This prepopulates the logon dialog box in desktop applications. To prevent users from creating a local copy of their credentials, set SASSEC_LOCAL_PW_SAVE="N" (or ="0" or ="F") in the metadata server's omaconfig.xml file and restart the server.

In desktop clients, this option controls the availability of a check box that enables the user to choose whether to store their credentials locally.

Note:   A change to the SASSEC_LOCAL_PW_SAVE= setting takes effect after the metadata server is restarted. Each client uses the previous setting for its first connection, discovers the revised metadata server setting, and conforms to that revised setting for subsequent connections. If you change the setting to disallow saved credentials, and credentials are already present in a user's connection profile, those credentials must be manually removed.  [cautionend]

Password Updates for Service Accounts

Passwords for a few service accounts require special coordination because these passwords are included in configuration files. The follow table and list provide details.

Overview of Storage of Service Account Passwords
Owning Metadata Identity Example Account ID Location
In Files In Metadata
[icon]SAS Administrator sasadm@saspw [check mark]
[check mark]
[icon]SAS Trusted User sastrust@saspw [check mark]
[check mark]
[icon]SAS Anonymous Web User webanon@saspw [check mark]
[check mark]
[icon]SAS General Servers sassrv
[check mark]
[icon]LSF Services1 lsfuser
[check mark]
1 For sites that use a standard configuration of scheduling with Platform Suite for SAS (with SAS Web Report Studio).

Here are some exceptions to the preceding table:

To update a service account password that is included only in metadata, use either SAS Management Console or the SAS Deployment Manager. To update a password that is included in configuration files, use the SAS Deployment Manager. Here are some key points about using the SAS Deployment Manager to update passwords:

To update a password with SAS Deployment Manager:

  1. (Optional) If you are updating the password for an internal account, review the server-level password policies for internal accounts. Also, check each internal account's properties to determine whether any more (or less) stringent requirements apply.

    Note:   In particular, make sure that the account is not subject to a forced password change after the password is reset (either set the password to never expire or change the server-level policy for pre-expired passwords).  [cautionend]

    Note:   By default policy, internal passwords must be at least six characters and don't have to include mixed case or numbers. The five most recent passwords for an account can't be reused for that account.  [cautionend]

  2. (Optional) If you have licensed SAS/SECURE and you want to use stronger encryption than SAS002, use the PWENCODE procedure to prepare an AES-encrypted version of each new password. For example:

    proc pwencode in='PWsassrv1' method=sas003;

    The encrypted password is written to your SAS log. When you use method=sas003, the first part of the password is {sas003}.

  3. Stop all SAS servers and services. Make any necessary adjustments to the state of your third-party Web components, as explained in the following table:

    State of Web Components for a Password Update
    Product Component State
    WebSphere dmgr (the IBM deployment manager server) Running
    nodeagent (the IBM managed node server) Running
    Web application servers (for example, SASServer1) It doesn't matter
    WebLogic node manager Running
    ManagedWebLogic server Stopped
    JBoss Web application servers (for example, SASServer1) Stopped

  4. If you are updating the password for an external account (for example, sassrv), change that password in your external authentication provider (for example, in the host operating system).

  5. Restart the metadata server. Do not restart other servers or services.

  6. On the metadata server's host, navigate to your equivalent of SAS-installation-directory/SASDeploymentManager/9.2 and launch config.exe (Windows), (UNIX), or config.rexx (z/OS).

  7. In the SAS Deployment Manager, select the update passwords task, select a configuration directory on the current machine, and log on as an unrestricted user (for example, sasadm@saspw).

  8. Perform the update. If you need detailed assistance with the user interface, see the Help within the utility.

  9. If you have servers on multiple machines, repeat steps 6-8 on each server host as applicable for the accounts that you are updating. Remember that you might have to update the same account on multiple hosts.

    Note:   Not all accounts are used on all hosts. If the accounts that you are updating aren't on a particular host, proceed to the next host.  [cautionend]

  10. Restart all servers and services, and complete any additional post-update tasks as specified in the generated UpdatePasswords.html file.

    Note:   Because of dependencies, it is important to start servers and services in a particular order. In particular, you should start the metadata server first and start Remote Services (the SAS Services Application) before you start the Web servers. For a complete discussion, see Starting Servers in the Correct Order in the SAS Intelligence Platform: System Administration Guide.  [cautionend]

Note:   You can automate running the deployment manager when you need to perform the same configuration action on many machines in your deployment. The deployment manager uses the same record and playback mechanism as the SAS Deployment Wizard to perform a non-interactive, silent configuration. For more information, see the topic "Automating the SAS Installation on Multiple Machines" in the SAS Intelligence Platform: Installation and Configuration Guide.   [cautionend]

If you choose to use the deployment manager's record and playback mechanism to update passwords, passwords are written to the response file.

For greater security, delete the response file (or remove the passwords from the response file) when you are finished. A response file is present only if you use the record and playback mechanism, instead of completing the task manually as documented in the preceding steps.  [cautionend]

See Also

Encryption Overview

SAS Internal Authentication

Passwords That Are Managed By the SAS Deployment Manager

Password Updates for Users and Groups

External Accounts

In most cases, the SAS copy of an external account includes only a user ID and doesn't include a password, so no password updates in metadata are necessary.

If any external passwords are stored, updates to those passwords are driven by changes that first occur in the external authentication provider. For example, if a copy of the password for an Oracle account or a host account is stored in the metadata as a group login, you must maintain that copy so that it always matches the actual password. Any change to the actual password (in Oracle) must be followed by a corresponding update to the SAS copy of the password (in the group login in the metadata).

You can update external passwords in SAS Management Console. If you own logins that include passwords, you can also update those passwords in SAS Personal Login Manager. To update the SAS copy of an external password in SAS Management Console, navigate to the owning user or group definition, select the Accounts tab, select a login, and click Edit (next to the table of logins).

SAS Internal Accounts

Every SAS internal account has a password. By initial policy, these passwords don't expire. See How to Change Internal Account Policies.

To update a SAS internal password in SAS Management Console, navigate to the owning user definition, select the Accounts tab, and click Update (at the bottom of the tab). If you have your own SAS internal account, you can also update your internal password in SAS Personal Login Manager.

Note:   If repeated attempts to log on with an internal account fail, that account might be locked. See How to Unlock an Internal Account.  [cautionend]

Previous Page | Next Page | Top of Page