Checklists

Passwords That Are Managed By the SAS Deployment Manager

	About This Topic
	Managed Passwords in the SAS Metadata Repository
	Managed Passwords in the SAS Configuration Directories
	Additional Managed Passwords in the Web Environment

About This Topic

This topic is provided for reference and to assist with troubleshooting. This topic does not provide comprehensive, step-by-step instructions for updating managed passwords. The recommended method for updating the passwords that are documented in this topic is to use the password update tool. See Password Updates for Service Accounts.

CAUTION:: You should directly edit passwords in configuration files only as a last resort.
Before you directly edit any configuration file, review the configuration file precedence information in the appendix Configuration Files in the SAS Intelligence Platform: System Administration Guide.

This topic lists only the locations in which the SAS Deployment Manager directly updates passwords. Some passwords are propagated when the utility rebuilds and redeploys the Web applications as part of the automated password update process. This topic doesn't include any additional managed passwords that are introduced by SAS solutions (the administrative documentation for each solution documents any managed passwords that are specific to that solution).

Except where otherwise specified, passwords in configuration files should be in a SAS encoded or encrypted format (the password string should begin with {SAS002} or {SAS003}). However, you should not supply encoded or encrypted password values in SAS Management Console.

Managed Passwords in the SAS Metadata Repository

The SAS Deployment Manager updates passwords in the following metadata locations:

The passwords for the SAS Administrator and the SAS Trusted User are in the user service definition. To access these settings in SAS Management Console:
1. On the Plug-ins tab, select Foundation Services Manager Remote Services Core. Right-click User Service and select Properties.
2. On the Service Configuration tab, click the Configuration button.
3. On the Users tab, select a user ID and click Edit. The Edit User dialog box contains the Password and Confirm Password fields.
The password for the SAS Trusted User is in the content mapping. To access this setting in SAS Management Console:
1. On the Folders tab, right-click the SAS Folders node and select Properties.
2. On the Content Mapping tab, if the WebDAV location radio button is selected, the Password and Confirm Password fields are enabled. In the standard configuration, the SAS Trusted User's credentials are used here.
The password for the SAS Server Invoker is in the SAS Server Invoker (sassrv) login. To access this setting in SAS Management Console:
1. On the Plug-ins tab, select User Manager.
2. In the display area, right-click the SAS General Servers group and select Properties.
3. On the Accounts tab, select the login and click Edit. The Login Properties dialog box contains the Password and Confirm Password fields.
  
  Note: The SAS General Servers group often has multiple logins. The SAS Deployment Manager can update only those logins that were designated as server launch credentials through the installation processes. Because these passwords are stored only in the metadata, you can choose to maintain them interactively in SAS Management Console (instead of with the SAS Deployment Manager).
The password for the SAS Anonymous Web User is in the SAS Anonymous Web User's login (if this identity exists and has an external account). To access the login in SAS Management Console:
1. On the Plug-ins tab, select User Manager.
2. In the display area, right-click the SAS Anonymous Web User and select Properties. Not all deployments include this identity.
3. On the Accounts tab, if there is an entry in the logins table, click Edit. The Login Properties dialog box contains the Password and Confirm Password fields. Usually this identity has an internal account and no logins.
If you use a SAS internal account for any of these identities, that account's password is stored as part of that identity's user definition. To access an internal account password in SAS Management Console:
1. On the Plug-ins tab, select User Manager.
2. In the display area, right-click the user who owns the internal account and select Properties.
3. At the bottom of the Accounts tab, click Update. The Internal Account Properties dialog box contains the New Password and Confirm Password fields.
If you are using a standard configuration of scheduling with Platform Suite for SAS (with SAS Web Report Studio), the password for the LSF user is in a login on the LSF Services group. To access this setting in SAS Management Console:
1. On the Plug-ins tab, select User Manager.
2. In the display area, right-click the LSFServices group and select Properties.
3. On the Accounts tab, select the login that is in the authentication domain name LSFServicesAuthWRS, and click Edit. The Login Properties dialog box contains the Password and Confirm Password fields.
Note: The SAS Deployment Manager can update this login only if it was created through the installation processes.

Managed Passwords in the SAS Configuration Directories

The SAS Deployment Manager updates passwords in the following SAS configuration files. Not all deployments include all components. In a multi-machine deployment, not all directories exist on all machines. If you complete the instructions in How to Reduce Exposure of the SASTRUST Password, the first two rows in the table are no longer applicable.

Note: The table uses default names, generic casing, and generic path formats. It omits the initial part of the path (your equivalent of SAS/Config/Lev1/). [cautionend]

Passwords in Configuration Files
Configuration File That Contains a Password	Account: Location of Password
sasv9_meta.cfg	SAS Trusted User: metapass
ObjectSpawner/metadataConfig.xml	SAS Trusted User: Password in the Login entry
ConnectSpawner/metadataConfig.xml	SAS Trusted User: Password in the Login entry
Web/Applications/RemoteServices/jps.properties	SAS Trusted User: omr_password
Web/Common/login.config	SAS Trusted User: trustedpw
Web/Common/SASDomain/weblogicLogin.config	SAS Trusted User: trustedpw
SASMeta/MetadataServer/metaparms.sas¹	SAS Administrator: OMAAPW
1 This supports functions (such as pause, resume, backup, restore, and status) that are implemented as an execution of a SAS session with the METAOPERATE or METADATA procedure, or the OMABACKUP macro.

Additional Managed Passwords in the Web Environment

The SAS Deployment Manager updates passwords in the following additional locations:

The SAS Trusted User's password is in the JAAS configuration as follows:
- For JBoss, the password is in the login-config.xml file (for example, at \jboss-4.2.0.GA\server\SASServer1\conf\login-config.xml).
- For WebLogic, the password is in the weblogicLogin.config file in the SAS configuration directory (for example, at SAS/BIServer/Lev1/Web/Common/SASDomain/weblogicLogin.config).
- For WebSphere, the SAS Deployment Manager rebuilds the following JAAS Login Modules with the updated password:
  - SAS Content Server (SCS): com.sas.services.security.login.OMILoginModule
  - Platform Foundation Services (PFS): com.sas.services.security.login.OMILoginModule
  - Platform Foundation Services (PFS): com.sas.services.security.login.TrustedLoginModule
  To access these settings in the WebSphere administration console, navigate to the modules under Security Secure administration, applications and infrastructure Java Authentication and Authorization Service Application logins <PFS | SCS> JAAS login modules <module> custom properties trustedpw.
The SAS Trusted User's password might be in a JDBC data source definition as follows:
- For JBoss, the password would be in the SharedServices-ds.xml file (for example, at \jboss-4.2.0.GA\server\SASServer1\deploy\SharedServices-ds.xml).
- For WebLogic, you can access the setting in WebLogic administrative console.
- For WebSphere, you can access the setting in the WebSphere administrative console under Resources JDBC Data sources SharedServices JAAS J2C authentication data SASAppSrv01Node/SASJAAS. In some releases of WebSphere, SAS encoded or encrypted password values are not supported in this context.
Note: Not all deployments include a JDBC data source definition. If MySQL is used, the MySQL password is stored instead of the SAS Trusted User's password.
The SAS Trusted User's password is in the environment properties secure.password, omr_password, and server.admin.password. If you use the SAS Anonymous Web User, that user's password is in the environment property web.anonymous.password. Like all of the passwords in this topic, these passwords should be managed through the SAS Deployment Manager. As a last resort, these passwords can also be accessed through a specialized XML metadata interface (under Foundation Services 9.2 PropertySets Environment.Properties (PropertySet) SetProperties).

Top of Page