How to Change the Password of a Database User

Before using this guide, it is recommended to read Enhanced Password Protection which offers enhanced protection of passwords.


It is a good security practice to regularly change database access credentials. Whenever the database user password is changed, it is necessary to update connection properties on several places. The article below provides guidelines for:

  • PostgreSQL server

  • MS SQL Server with SQL authentication

  • MS SQL Server with domain authentication and service account

Internal accounts

There are several SQL logins in the database, which were created automatically during installation by YSoft SafeQ installer. Those are SQL logins, not domain accounts. In the text below, those accounts are highlighted in a box like this one.

How to Encrypt Password

Passwords in Configuration Files

Passwords in the configuration files can be in plain text or encrypted by the utility provided by YSoft SafeQ 6 as a widget on Dashboard:

  1. Sign into Management Service interface as an administrator (into a tenant scheme if it is in a multi-tenant environment).

  2. Stay on Dashboard.

  3. Find the Text Encryption widget or enable it (click the Add widget button).

  4. Enter the text to encrypt.

  5. Click the Encode button at the bottom of the widget.

  6. Copy the text to the clipboard or transcribe it and replace the original password in the property file.

images/download/attachments/160480367/image2017-4-26_16_28_19.png

Passwords in Database

  • Passwords in the database are in plaintext.

YSoft SafeQ 6 Management Service

Refer to page YSoft SafeQ server requirements for details about all user accounts used by YSoft SafeQ.

YSoft SafeQ 6 Management Service - SQL Authentication

Use this procedure to change password for:

  • PostgreSQL server

  • MS SQL Server with SQL authentication

    For MS SQL Server with domain authentication skip this section. Continue with YSoft SafeQ 6 Management Service - Domain Authentication instead.

STEP 1 - CONFIGURATION FILES

When using SQL authentication (not domain authentication), update the following configuration files:

  • <install_dir>\Management\ims\application.properties:

    • spring.datasource.password – password of a user account for IMS database, typically a database with suffix _IMS. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.

  • <install_dir>\Management\conf\safeq.properties:

    • database.global.management.password – password for a common connection to the database. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.

    • databaseWarehouse.global.management.password – password for a common connection to the database. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.

      Internal accounts

      Those accounts were created automatically during installation by YSoft SafeQ installer. Those are SQL logins, not domain accounts.

      • database.cluster.management.password – password of a cluster management user, typically called cluster_mngmt).

      • database.cluster.guest.password – password of a cluster guest user, typically called cluster_guest).

      • databaseWarehouse.cluster.management.password – password of data warehouse guest user, typically called cluster_guest).

      • databaseWarehouse.cluster.guest.password – password of data warehouse guest user, typically called cluster_guest).

  • <install_dir>\Management\validator\conf\DBValidator.properties:

    • connectionInfoSQ.userPassword – password for a common connection to the database. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.

    • connectionInfoDW.userPassword – password for a common connection to the database. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.


STEP 2 - DATABASE

The procedure slightly differs on MU 8 or older, refer to Recovery of databases documentation, Reconfiguring the SQDB6 Database section.

Execute the following query to reset stored procedures' connection strings:

  • For PostgreSQL:

    PostgreSQL
    SELECT cluster_mngmt.spu_recover_tenant_db_passwords();
  • For MS SQL Server:

    MS SQL Server
    EXEC cluster_mngmt.spu_recover_tenant_db_passwords;

Execute database validator:

  1. Execute the following query

    1. For PostgreSQL:

      PostgreSQL
      SELECT cluster_mngmt.spu_clean_validator_tables();
    2. For MS SQL Server:

      MS SQL Server
      EXEC cluster_mngmt.spu_clean_validator_tables();
  2. Navigate to <install_dir>\Management\validator\conf\DBValidator.properties and verify the database passwords.

  3. Navigate to <install_dir>\Management\validator\bin\validatorRunner.exe

    1. Run it.

More information: DB Validator Tool

YSoft SafeQ 6 Management Service - Domain Authentication

Use this procedure to change password for:


STEP 1 - CONFIGURATION FILES

When using DOMAIN authentication (not sql login authentication), update the following configuration file:

  • <install_dir>\Management\validator\conf\DBValidator.properties:

    • connectionInfoSQ.userPassword – password for a common connection to the database. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.

    • connectionInfoDW.userPassword – password for a common connection to the database. images/s/-t6brkm/8803/3fowtp/_/images/icons/emoticons/information.svg This is the account provided by the customer.

STEP 2 - DATABASE

Internal accounts

Internal accounts are users without passwords when using domain authentication. There is no need to update any passwords.

Reference: https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-databases

Execute database validator:

Perform the steps below only if data warehouse is deployed on a different SQL Server, SKIP THEM OTHERWISE.

  1. Execute the following query

    1. For PostgreSQL:

      PostgreSQL
      SELECT cluster_mngmt.spu_clean_validator_tables();
    2. For MS SQL Server:

      MS SQL Server
      EXEC cluster_mngmt.spu_clean_validator_tables();
  2. Navigate to <install_dir>\Management\validator\conf\DBValidator.properties and verify the database passwords.

  3. Navigate to <install_dir>\Management\validator\bin\validatorRunner.exe

    1. Run it.

More information: DB Validator Tool


STEP 3 - WINDOWS SERVICES

Update service account password on affected Windows services (run services.msc):

  • YSoft Infrastructure Service

  • YSoft SafeQ LDAP Replicator

  • YSoft SafeQ Management Service

YSoft SafeQ 6 Management Service - Apply the Change

The following services need to be restarted to apply the changes:

  • YSoft SafeQ Management Service

  • YSoft Infrastructure Service

YSoft SafeQ 6 Payment System

YSoft SafeQ 6 Payment System - SQL Authentication

Use this procedure to change password for:

  • PostgreSQL server

  • MS SQL Server with SQL authentication

    For MS SQL Server with domain authentication skip this section.

The passwords must be changed in configuration files when the user password of a connection to the database is changed:

  • for MU26 or newer <install_dir>\YPS\ps-conf\environment-configuration.properties

  • for MU25 or older <install_dir>\YPS\ysoft\environment-configuration.properties

database.password – the password of a user for a common connection to the database (typically, a default user with the username "postgres" or "sa")

YSoft SafeQ 6 Payment System - Domain Authentication

No extra step required.

YSoft SafeQ 6 Payment System - Apply the Change

The following services need to be restarted to apply the changes:

  • YSoft SafeQ Payment System Service