SetPassword Metadata Utility

About the SetPassword Metadata Utility
Syntax for the SetPassword Metadata Utility
Usage Examples

About the SetPassword Metadata Utility

Purpose: The SetPassword utility enables an unrestricted user to change passwords on one or more metadata login objects. The person who runs the utility must provide the new passwords as input. This utility can be used in conjunction with enterprise password provisioning/reset tools to drive password changes into the metadata server. Notes: This utility does not extract passwords from authentication providers. Nor does it update passwords used for metadata server internal authentication. (These accounts are usually in the form of username@SASPW.)

Alternate Methods: As an alternative to using this utility, unrestricted users can use SAS Management Console to reset passwords for other users (one at a time). Regular users can use SAS Personal Login Manager (or SAS Management Console) to update their own passwords. For background information about logins and storage of passwords in the metadata, see the SAS Intelligence Platform: Security Administration Guide, at support.sas.com/administration.

Functional Overview: The utility works like this:

You provide these inputs:
- Connection information for the metadata server (using the standard metaServer metaPort, metaUser, metaPass, and metaRepository arguments).
- A user ID, authentication domain, and new password for each login that you are updating (using the UserID, AuthenticationDomain, and Password arguments).
  - You can provide this information directly in the command line, or via piped input, or via a separate input file.
  - Values that contain spaces must be enclosed in double-quotation marks.
  - Each user ID/authentication domain pair that you specify must correspond to an existing login in the metadata.
  - Userids and Authentication domains will be matched in a case-insensitive manner.
  - For a login that is not associated with an authentication domain, specify an empty string as the AuthenticationDomain value. For example, AuthenticationDomain="".
  - The passwords that you provide should be in clear text (not encrypted).
- Options that specify how the account information is being supplied and how error and log files will be generated.
The utility passes each UserID/AuthenticationDomain pair to the SAS Metadata Server to verify that there is a corresponding login. If a corresponding login is found, the old password is replaced with the new password. The utilitiy does not verify the new password with the authentication provider.
The utility generates log and error files as specified by you.

Syntax for the SetPassword Metadata Utility

Basic Syntax

A simple form of the command is:

SetPassword


 [connection options] -File "input-file-name"

As an alternative, you can remove the -File option and add options that directly provide account information:

SetPassword


 [connection options] -UserID "windows-domain\userID" -AuthenticationDomain "authentication-domain" -Password "new-password"

Utility Options

-AuthenticationDomain name-of-authentication-domain: specifies the authentication domain of the login that you are updating. To run the command for multiple logins, use the -File option instead. For a login that is not associated with an authentication domain, specify an empty string as the AuthenticationDomain value. For example, -AuthenticationDomain "".
Aliases: Domain, AuthDomain, AuthDom, DomainName, DM, AuthenticationDomain:Name
-UserID user-identifier: specifies the user ID of the login that you are updating. To run the command for multiple logins, use the -File option instead. User IDs for Windows accounts must be qualified with a machine or Windows domain name.
Aliases: UID, Login, ID, Login:UserID
-Password new-password-value: specifies the new password for the account that you identified in -UserID. The password should be in clear text (not encrypted).
Aliases: PWD, PW, passwd, Login:Password
-File input-file-name: specifies the name of a file that contains account ID and password information (as an alternative to providing this information directly on the command line). This file should contain the authentication domain, user ID, and new password for each account that you want to update. For example, you might have an input file named passwords.txt that contains these lines:

UserID="demotst6" AuthenticationDomain="OracleAuth" Password="demotst6password" UserID="winNT\demotst7" AuthenticationDomain="WinAuth" Password="demotst7password" UserID="demotst8" AuthenticationDomain="UnixAuth" Password="demotst8password" UserID="winNT\demotst9" AuthenticationDomain="WinAuth" Password="demotst9password"

Windows IDs must be qualified with the machine or Windows domain name. The passwords should be in clear text (not encrypted).
-noPrompt: specifies that input will come from a pipe.
-verbose: enables verbose output such as connecting/disconnecting info.
-logFile file-name: specifies a log file name and location. If -logFile is omitted, log messages are sent to standard output. If you specify a directory, that location must already exist; the utility will not create the directory for you.
-errorFile file-name: specifies an error file name and location. If -errorFile is omitted, error messages are printed to standard error.

Connection Options

-metaServer server_name: the host name or IP address of the computer that hosts the metadata server.
-metaPort port_number: the port number on which the metadata server listens for requests.
-metaUser userID: the fully qualified user ID of an unrestricted user.
-metaPass password: the password for the unrestricted user.
-metaRepository repository_name: the name of the repository that contains the login metadata to be updated (this is usually the foundation repository). Generally, logins can be located and passwords set without specifying this option.

Usage Examples

Example 1: Changing One Password Directly From the Command Line

To update the Oracle password for the SAS Demo User, enter this command:

SetPassword


 -metaServer "d12345" -metaPort 8561 -metaUser "winNT\sasadm" -metaPass "ADMpwd123" 
-UserID "winNT\sasdemo" -authDom "OracleAuth" -Password "ORApwd123"

Example 2: Changing Mulitple Passwords From an Input File

To update the passwords in the Oracle logins for three demo accounts (sasdemo1, sasdemo2, and sasdemo3), create a file named passwords.txt that contains these lines:

UserID="sasdemo1"  AuthenticationDomain="OracleAuth"  Password="ORApwDemo1"

UserID="sasdemo2"  AuthenticationDomain="OracleAuth"  Password="ORApwDemo2"

UserID="sasdemo3"  AuthenticationDomain="OracleAuth"  Password="ORApwDemo3"

And enter this command:

SetPassword

-metaServer "d12345" -metaPort 8561 -metaUser "winNT\sasadm" -metaPass "ADMpwd123" 
-File "passwords.txt"

Example 3: Changing Multiple Passwords From Piped Input

To accomplish the same password changes as in the previous example using a piped input file named input.bat on windows, this file contains the following information::

@echo UserID="sasdemo1"  AuthenticationDomain="OracleAuth"  Password="ORApwDemo1"

@echo UserID="sasdemo2"  AuthenticationDomain="OracleAuth"  Password="ORApwDemo2"

@echo UserID="sasdemo3"  AuthenticationDomain="OracleAuth"  Password="ORApwDemo3"

And on Windows, enter this command:

input.bat | SetPassword

 -metaServer "d12345" -metaPort 8561 -metaUser "winNT\sasadm" -metaPass "ADMpwd123" 
-noprompt -verbose -logfile "logs\setpw-logfile.log" -errorfile "logs\setpw-errorfile.log"

Note: This example assumes that the logs directory has already been created.