How to Change the Password of a Database User
Before using this guide, it is recommended to read Enhanced Password Protection which offers enhanced protection of passwords.
It is a good security practice to regularly change database access credentials. Whenever the database user password is changed, it is necessary to update connection properties on several places. The article below provides guidelines for:
PostgreSQL server
MS SQL Server with SQL authentication
MS SQL Server with domain authentication and service account
Internal accounts
There are several SQL logins in the database, which were created automatically during installation by YSoft SafeQ installer. Those are SQL logins, not domain accounts. In the text below, those accounts are highlighted in a box like this one.
How to Encrypt Password
Passwords in Configuration Files
Passwords in the configuration files can be in plain text or encrypted by the utility provided by YSoft SafeQ 6 as a widget on Dashboard:
Sign into Management Service interface as an administrator (into a tenant scheme if it is in a multi-tenant environment).
Stay on Dashboard.
Find the Text Encryption widget or enable it (click the Add widget button).
Enter the text to encrypt.
Click the Encode button at the bottom of the widget.
Copy the text to the clipboard or transcribe it and replace the original password in the property file.
Passwords in Database
Passwords in the database are in plaintext.
YSoft SafeQ 6 Management Service
Refer to page YSoft SafeQ server requirements for details about all user accounts used by YSoft SafeQ.
YSoft SafeQ 6 Management Service - SQL Authentication
Use this procedure to change password for:
PostgreSQL server
MS SQL Server with SQL authentication
For MS SQL Server with domain authentication skip this section. Continue with YSoft SafeQ 6 Management Service - Domain Authentication instead.
STEP 1 - CONFIGURATION FILES
When using SQL authentication (not domain authentication), update the following configuration files:
<install_dir>\Management\ims\application.properties:
spring.datasource.password – password of a user account for IMS database, typically a database with suffix _IMS. This is the account provided by the customer.
<install_dir>\Management\conf\safeq.properties:
database.global.management.password – password for a common connection to the database. This is the account provided by the customer.
databaseWarehouse.global.management.password – password for a common connection to the database. This is the account provided by the customer.
Internal accounts
Those accounts were created automatically during installation by YSoft SafeQ installer. Those are SQL logins, not domain accounts.
database.cluster.management.password – password of a cluster management user, typically called cluster_mngmt).
database.cluster.guest.password – password of a cluster guest user, typically called cluster_guest).
databaseWarehouse.cluster.management.password – password of data warehouse guest user, typically called cluster_guest).
databaseWarehouse.cluster.guest.password – password of data warehouse guest user, typically called cluster_guest).
<install_dir>\Management\validator\conf\DBValidator.properties:
connectionInfoSQ.userPassword – password for a common connection to the database. This is the account provided by the customer.
connectionInfoDW.userPassword – password for a common connection to the database. This is the account provided by the customer.
STEP 2 - DATABASE
The procedure slightly differs on MU 8 or older, refer to Recovery of databases documentation, Reconfiguring the SQDB6 Database section.
Execute the following query to reset stored procedures' connection strings:
For PostgreSQL:
PostgreSQLSELECT
cluster_mngmt.spu_recover_tenant_db_passwords();
For MS SQL Server:
MS SQL ServerEXEC
cluster_mngmt.spu_recover_tenant_db_passwords;
Execute database validator:
Execute the following query
For PostgreSQL:
PostgreSQLSELECT
cluster_mngmt.spu_clean_validator_tables();
For MS SQL Server:
MS SQL ServerEXEC
cluster_mngmt.spu_clean_validator_tables();
Navigate to <install_dir>\Management\validator\conf\DBValidator.properties and verify the database passwords.
Navigate to <install_dir>\Management\validator\bin\validatorRunner.exe
Run it.
More information: DB Validator Tool
YSoft SafeQ 6 Management Service - Domain Authentication
Use this procedure to change password for:
MS SQL Server with domain authentication. The installation followed this procedure: Installing YSoft SafeQ Management Server on external MSSQL using domain users
STEP 1 - CONFIGURATION FILES
When using DOMAIN authentication (not sql login authentication), update the following configuration file:
<install_dir>\Management\validator\conf\DBValidator.properties:
connectionInfoSQ.userPassword – password for a common connection to the database. This is the account provided by the customer.
connectionInfoDW.userPassword – password for a common connection to the database. This is the account provided by the customer.
STEP 2 - DATABASE
Internal accounts
Internal accounts are users without passwords when using domain authentication. There is no need to update any passwords.
Reference: https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases
Execute database validator:
Perform the steps below only if data warehouse is deployed on a different SQL Server, SKIP THEM OTHERWISE.
Execute the following query
For PostgreSQL:
PostgreSQLSELECT
cluster_mngmt.spu_clean_validator_tables();
For MS SQL Server:
MS SQL ServerEXEC
cluster_mngmt.spu_clean_validator_tables();
Navigate to <install_dir>\Management\validator\conf\DBValidator.properties and verify the database passwords.
Navigate to <install_dir>\Management\validator\bin\validatorRunner.exe
Run it.
More information: DB Validator Tool
STEP 3 - WINDOWS SERVICES
Update service account password on affected Windows services (run services.msc):
YSoft Infrastructure Service
YSoft SafeQ LDAP Replicator
YSoft SafeQ Management Service
YSoft SafeQ 6 Management Service - Apply the Change
The following services need to be restarted to apply the changes:
YSoft SafeQ Management Service
YSoft Infrastructure Service
YSoft SafeQ 6 Payment System
YSoft SafeQ 6 Payment System - SQL Authentication
Use this procedure to change password for:
PostgreSQL server
MS SQL Server with SQL authentication
For MS SQL Server with domain authentication skip this section.
The passwords must be changed in configuration files when the user password of a connection to the database is changed:
for MU26 or newer <install_dir>\YPS\ps-conf\environment-configuration.properties
for MU25 or older <install_dir>\YPS\ysoft\environment-configuration.properties
database.password – the password of a user for a common connection to the database (typically, a default user with the username "postgres" or "sa")
YSoft SafeQ 6 Payment System - Domain Authentication
No extra step required.
YSoft SafeQ 6 Payment System - Apply the Change
The following services need to be restarted to apply the changes:
YSoft SafeQ Payment System Service