 |
|
| Security Tasks |
Manage Passwords
| Password Policies |
Each authentication provider sets password policies for accounts in that provider. For example, the password expiration policy for a host account is determined by that host. For the SAS internal authentication provider, you can set server-level and per-account policies such as password strength requirements and password expiration periods. See How to Change Internal Account Policies.
In the initial configuration, users can choose to store their credentials in their client-side connection profiles. This prepopulates the logon dialog box in desktop applications. To prevent users from creating a local copy of their credentials, set SASSEC_LOCAL_PW_SAVE="N" (or ="0" or ="F") in the metadata server's omaconfig.xml file and restart the server.
In desktop clients, this option controls the availability of a check box that enables the user to choose whether to store their credentials locally.
Note: A change to the SASSEC_LOCAL_PW_SAVE= setting
takes effect after the metadata server is restarted. Each client uses the
previous setting for its first connection, discovers the revised metadata
server setting, and conforms to that revised setting for subsequent connections.
If you change the setting to disallow saved credentials, and credentials are
already present in a user's connection profile, those credentials must be
manually removed. ![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
| Password Updates for Service Accounts |
Passwords for a few service accounts require special coordination because these passwords are included in configuration files. The follow table and list provide details.
| Owning Metadata Identity | Example Account ID | Location | |
|---|---|---|---|
| In Files | In Metadata | ||
![[icon]](images/user.gif) SAS
Administrator |
sasadm@saspw |
![[check mark]](images/check.gif) |
|
|
SAS Trusted
User |
sastrust@saspw |
|
|
|
SAS Anonymous Web
User |
webanon@saspw |
|
|
![[icon]](images/group.gif) SAS General
Servers |
sassrv |
|
|
|
LSF
Services1 |
lsfuser |
|
|
| 1 For sites that use a standard configuration of scheduling with Platform Suite for SAS (with SAS Web Report Studio). | |||
Here are some exceptions to the preceding table:
-
Not all sites use all accounts.
-
Not all sites use the standard account IDs.
-
Some sites have additional service accounts (for example, additional logins on the SAS General Servers Group).
-
Some sites choose to use external accounts for all service identities (instead of using internal accounts where appropriate).
To update a service account password that is included only in metadata, use either SAS Management Console or the SAS Deployment Manager. To update a password that is included in configuration files, use the SAS Deployment Manager. Here are some key points about using the SAS Deployment Manager to update passwords:
-
The utility updates both configuration files and metadata. You can update multiple passwords in a single pass.
-
You must run the utility on each machine that hosts affected components. If you have servers on multiple machines, run the utility on each host, beginning with the metadata server machine.
-
It might be necessary to update the same password on multiple hosts. For example, if you update the password for the SAS Trusted User on the metadata server's host, you must also do the same update on the middle-tier machine.
-
Be sure to supply the same new password for an account on all machines on which you update that account.
-
If you enter a plaintext password into the utility, the utility encodes that password using SAS proprietary encoding (SAS002).
-
Passwords for any service accounts that you introduce in SAS Management Console aren't managed by this tool. For example, if you designate a new login as the launch credential for a server, that launch credential isn't automatically added to the list of accounts that the SAS Deployment Manager can update. Server launch credentials aren't added to a configuration file, so you can update any such passwords from the owning identity's Accounts tab in SAS Management Console.
-
Each run of this utility generates an UpdatePasswords.html file that documents the updates that the utility performed and provides instructions for any required post-update activities.
To update a password with SAS Deployment Manager:
-
(Optional) If you are updating the password for an internal account, review the server-level password policies for internal accounts. Also, check each internal account's properties to determine whether any more (or less) stringent requirements apply.
Note: In particular, make sure that the account is not subject to a forced password change after the password is reset (either set the password to never expire or change the server-level policy for pre-expired passwords).
Note: By default policy, internal passwords must be at least six characters and don't have to include mixed case or numbers. The five most recent passwords for an account can't be reused for that account.
-
(Optional) If you have licensed SAS/SECURE and you want to use stronger encryption than SAS002, use the PWENCODE procedure to prepare an AES-encrypted version of each new password. For example:
proc pwencode in='PWsassrv1' method=sas003; run;
The encrypted password is written to your SAS log. When you use method=sas003, the first part of the password is {sas003}.
-
Stop all SAS servers and services. Make any necessary adjustments to the state of your third-party Web components, as explained in the following table:
State of Web Components for a Password Update Product Component State WebSphere dmgr (the IBM deployment manager server) Running nodeagent (the IBM managed node server) Running Web application servers (for example, SASServer1) It doesn't matter WebLogic node manager Running ManagedWebLogic server Stopped JBoss Web application servers (for example, SASServer1) Stopped -
If you are updating the password for an external account (for example, sassrv), change that password in your external authentication provider (for example, in the host operating system).
-
Restart the metadata server. Do not restart other servers or services.
-
On the metadata server's host, navigate to your equivalent of SAS-installation-directory/SASDeploymentManager/9.2 and launch config.exe (Windows), config.sh (UNIX), or config.rexx (z/OS).
-
In the SAS Deployment Manager, select the update passwords task, select a configuration directory on the current machine, and log on as an unrestricted user (for example, sasadm@saspw).
-
Perform the update. If you need detailed assistance with the user interface, see the Help within the utility.
-
If you have servers on multiple machines, repeat steps 6-8 on each server host as applicable for the accounts that you are updating. Remember that you might have to update the same account on multiple hosts.
Note: Not all accounts are used on all hosts. If the accounts that you are updating aren't on a particular host, proceed to the next host.
-
Restart all servers and services, and complete any additional post-update tasks as specified in the generated UpdatePasswords.html file.
Note: Because of dependencies, it is important to start servers and services in a particular order. In particular, you should start the metadata server first and start Remote Services (the SAS Services Application) before you start the Web servers. For a complete discussion, see Starting Servers in the Correct Order in the SAS Intelligence Platform: System Administration Guide.
Note: You can automate running the deployment manager when you need
to perform the same configuration action on many machines in your deployment.
The deployment manager uses the same record and playback mechanism as the
SAS Deployment Wizard to perform a non-interactive, silent configuration.
For more information, see the topic "Automating the SAS Installation on Multiple
Machines" in the
SAS Intelligence Platform: Installation and Configuration Guide.
- CAUTION:
- If you choose to use the deployment manager's
record and playback mechanism to update passwords, passwords are written to
the response file.
For greater security, delete the response file (or remove the passwords from the response file) when you are finished. A response file is present only if you use the record and playback mechanism, instead of completing the task manually as documented in the preceding steps.
See Also
| Password Updates for Users and Groups |
External Accounts
In most cases, the SAS copy of an external account includes only a user ID and doesn't include a password, so no password updates in metadata are necessary.
If any external passwords are stored, updates to those passwords are driven by changes that first occur in the external authentication provider. For example, if a copy of the password for an Oracle account or a host account is stored in the metadata as a group login, you must maintain that copy so that it always matches the actual password. Any change to the actual password (in Oracle) must be followed by a corresponding update to the SAS copy of the password (in the group login in the metadata).
You can update external passwords in SAS Management Console. If you own logins that include passwords, you can also update those passwords in SAS Personal Login Manager. To update the SAS copy of an external password in SAS Management Console, navigate to the owning user or group definition, select the Accounts tab, select a login, and click Edit (next to the table of logins).
SAS Internal Accounts
Every SAS internal account has a password. By initial policy, these passwords don't expire. See How to Change Internal Account Policies.
To update a SAS internal password in SAS Management Console, navigate to the owning user definition, select the Accounts tab, and click Update (at the bottom of the tab). If you have your own SAS internal account, you can also update your internal password in SAS Personal Login Manager.
Note: If repeated attempts to log on with an internal
account fail, that account might be locked. See How to Unlock an Internal Account.
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.