cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does the hide_maintuser_pwd option automatically update ASE maint user passwords?

Go to solution
sladebe
Active Participant

on ‎08-27-2018 6:26 PM

0 Kudos

Looking at:


Replication Server Administration Guide Volume 1 -> Manage Replication Server Security -> Manage Replication Server System Security -> Maintenance User Security

( https://help.sap.com/viewer/9dc6170db0d24bb9bc901a44187b0636/15.7.1.304/en-US/fdfc54a1bd1c1014ac88be... )

it says:

Set hide_maintuser_pwd on to:

  • Periodically generate a new password for the maintenance user for existing connections to a replicate Adaptive Server database.
  • Generate and encrypt the password for any new database connections you create, and periodically regenerate and encrypt the password at the replicate Adaptive Server database.
  • Change and encrypt any password you reenter for the maintenance user.

So if I set hide_maintuser_pwd to "on" and then set maintuser_pwd_expiration to some value, will maint users passwords be automatically regenerated after the expiration time and then automatically updated in the repserver *and* in the corresponding ASE servers for those maint users?

The key part of this question is whether or not the ASE server maint users get their passwords automatically updated.

Thanks in advance
Ben

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kenneth_brozovich
Explorer
‎08-27-2018 6:41 PM

Yes. The initial password for the maintenance user will be altered with a new generated string with fixed length ’30’ both in RSSD ‘rs_maintusers’ table and user databases.

The password is then altered periodically when the ‘maintuser_pwd_expiration’ duration expires if the configuration has been set to a non-zero value.

If there are multiple user databases on the same data server which shares one maintenance user login, the password of the login will be altered for each of the user database and its corresponding entry in RSSD.

Limitation
Hide maintenance user password feature is not supported if:

- The database is non-ASE or Replication Server system database(RSSD).

- ASE version is lower than 15.0.3.

- The ASE server is authenticating the maintenance user login with method other than ‘ASE’ (eg. Kerberos or LDAP).

- Maintenance user of the user database shares the same data server login with RSSD maintenance user or primary user.

- Multiple user databases share the same data server login while they are controlled by more than one Replication Server.

Show replies
Show replies
sladebe
Active Participant
‎08-27-2018 7:10 PM
0 Kudos

Thanks this is a very useful answer.

For me, the following item is a problem:

  1. Multiple user databases share the same data server login while they are controlled by more than one Replication Server.

This is because, in order to minimize repserver crashing problems, we spread out replication for different databases (on the same ASE server) to different repservers. So we have multiple repservers all sharing the same maint user login to an ASE server.

But thanks for the info. I'm marking your answer as "Accepted".

Ben

sladebe
Active Participant
‎09-06-2018 7:47 PM
0 Kudos

One more related question:

So if I were to use hide_maintuser_pwd and maintuser_pwd_expiration the passwords for the maint user would periodically change in the repserver and the ASE server.

But what happens with I need to rs_init a new connection to an ASE server. I need to know the maint user password to do that, right? But it's been changed to a random value.

Do I have to reset the maint user password to a known value before running rs_init?

Answers (2)

Answers (2)

sladebe
Active Participant
‎10-05-2018 3:31 PM
0 Kudos

Re: Yes, I have to reset the maint user password to a known value before running rs_init.

So the procedure to do this would be (which would be the default procedure to change maint user passwords if "hide_maintuser_pwd" is off):

  1. For a given maint user, on all relevant repservers, suspend the all the DSIs in the repserver(s) connecting via that maint user.
  2. On all the ASE servers connected to using that maint user, change that maint user password using the command:
    "alter login <maint_user> with password <caller_password> modify password <new_login_name_password>
  3. On the repserver(s), logged in as a user with sa privileges, change that maint user password using the command ("verify password" not needed when logged in with sa privs):
    alter user <maint_user> set password <new_password>
  4. Resume all the suspended DSIs

Show replies
Show replies
kenneth_brozovich
Explorer
‎09-10-2018 3:05 PM
0 Kudos

Yes, that would seem to be the case if you use the same maint_user for multiple databases.

Show replies
Show replies
Ask a Question