Update ICA services credentials and data source credentials
search cancel

Update ICA services credentials and data source credentials

book

Article ID: 226575

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

The nature of Information Centric Analytics' (ICA) architecture requires multiple identities to be defined across Microsoft Internet Information Services (IIS), SQL Server, and SQL Server Analysis Services (SSAS), though the same identity may be used in all cases. Additional credentials may be used with integration packs and in the Integration Wizard (IW) for data source queries. In some environments, the passwords of one or more identities may periodically change, necessitating an update of the passwords used for ICA and data source integrations.

NOTE: The ICA service account should be configured to use a persistent or semi-persistent password in accordance with your organization's security policies. Password rotations on 24-hour cycles will necessitate following these procedures daily; a failure to do so will result in the failure of one or multiple components of ICA.

This article does not address changes to ICA portal user account credentials.

Environment

Release : 6.x

Component : Credentials

Resolution

Prior to making any changes, please refer to the Required Steady State Privileges section of the Symantec ICA Administrator Guide to ensure the account used as the ICA service account identity has been granted sufficient privileges to perform each of its functions.

Microsoft Internet Information Services (IIS)

To update the password of the application pool identity used by IIS for the ICA application, follow this procedure:

  1. On the ICA application server, open the Internet Information Services (IIS) Manager
  2. In the Connections pane, expand the server hosting the ICA application and select Application Pools
  3. On the Application Pools page, right-click the RiskFabricAppPool and select Advanced Settings
    The Advanced Settings window opens
  4. In the Advanced Settings window, locate the Process Model heading
  5. Under the Process Model heading, select Identity and click on the ellipsis next to the credential name
    The Application Pool Identity window opens
  6. In the Application Pool Identity window, click the Set... button next to Custom Account
    the Set Credentials window opens
  7. In the Set Credentials window, enter the user name and new password
  8. Click the OK button to close the Set Credentials window
  9. Click the OK button to close the Application Pool Identity window
  10. Click the OK button to close the Advanced Settings window
  11. Recycle the RiskFabricAppPool using either of the following methods:
    1. On the Application Pools page, right-click the RiskFabricAppPool and select Recycle...
    2. From a command prompt run as an administrator, execute the following command:
      "%WinDir%\System32\inetsrv\appcmd.exe" recycle APPPOOL RiskFabricAppPool

Microsoft SQL Server

NOTE: If Kerberos is used for brokering authentication to the RiskFabric_ASDB linked server (RiskFabric OLAP cube), skip the RiskFabric_ASDB procedure in this section and follow the SQL Server Agent Proxies procedure.

RiskFabric_ASDB

To update the password used by SQL Server to execute queries against the RiskFabric OLAP cube hosted by Analysis Services, follow this procedure:

  1. Open SQL Server Management Studio (SSMS)
  2. Connect to the Database Engine hosting the RiskFabric relational database
  3. In Object Explorer, navigate to Server Objects > Linked Servers
  4. Right-click the RiskFabric_ASDB linked server and select Properties
    The Linked Server Properties window opens
  5. In the Linked Server Properties window, select the Security page
  6. Update the remote login (if needed) and password for the setting Be made using this security context
  7. Click the OK button to save the setting and close the Linked Server Properties window

SQL Server Agent Proxies

To update the password used by ICA's SQL Server Agent proxies (Bay Dynamics AD Connector Proxy, RiskFabric Nightly Processing, RiskFabric Proxy), follow this procedure:

  1. Open SSMS
  2. Connect to the Database Engine hosting the RiskFabric relational database
  3. In Object Explorer, navigate to Security > Credentials
  4. Right-click the RiskFabric Nightly Processing credential and select Properties
    The Credential Properties window opens
  5. In the Credential Properties window, update the Identity (if needed) and password
  6. Click the OK button to save the credentials and close the Credential Properties window
  7. Repeat steps 1 through 6 for the Bay Dynamics AD Connector Credential (if using the Active Directory integration)

Microsoft SQL Server Analysis Services (SSAS)

To update the password used by SSAS to connect to the RiskFabric relational database data source, follow this procedure:

  1. Open SSMS
  2. Connect to the Analysis Services server hosting the RiskFabric OLAP cube
  3. In Object Explorer, navigate to Databases > RiskFabric
  4. Right-click RiskFabric and select Properties
    The Database Properties window opens
  5. In the Database Properties window under the Security Settings heading, edit the Data Source Impersonation Info
    The Impersonation Information window opens
  6. In the Impersonation Information window, update the Password
  7. Click the OK button to save the password and close the Impersonation Information window
  8. Click the OK button to close the Database Properties window
  9. In Object Explorer, navigate to Databases > RiskFabric > Data Sources
  10. Right-click RiskFabric and select Properties
    The Data Source Properties window opens
  11. In the Data Source Properties window under the Security Settings heading, edit the Impersonation Info
    The Impersonation Information window opens
  12. In the Impersonation Information window, select the Inherit impersonation option
  13. Click the OK button to close the Impersonation Information window
  14. Restart the SQL Server Analysis Services (msmdsrv) service using any of the following methods:
    1. In SSMS Object Explorer, right-click the SSAS hostname and select Restart
    2. From the Windows menu, open Services (services.msc), right-click the service SQL Server Analysis Services (<Instance-Name>), and select Restart
    3. From a command prompt run as an administrator, execute the following commands:
      net stop MSSQLServerOLAPService[$instancename]
      net start MSSQLServerOLAPService[$instancename]

Active Directory

To update the password used by the Active Directory Connector Utility to query Active Directory (AD) domain controllers, follow this procedure:

  1. Open SSMS
  2. Connect to the Database Engine hosting the ActiveDirectoryDW relational database
  3. In Object Explorer, navigate to Databases > ActiveDirectoryDW > Tables
  4. Right-click the table dbo.Server and select Select Top 1000 Rows
  5. Note the ServerID value of the AD server(s) to be updated
  6. In Object Explorer, navigate to SQL Server Agent > Jobs
  7. Right-click the Bay Dynamics AD Connector Job and select Properties
    The Job Properties - Bay Dynamics AD Connector Job window opens
  8. In the Job Properties - Bay Dynamics AD Connector Job window, select the Steps page
  9. In the Steps page, select the Edit button
  10. In the Command window, note the path to the ImportADUsersAndComputers.exe executable
  11. From a command prompt, navigate to the path identified in step 10
  12. Edit the following command, passing the ServerID from step 5 and the new password for the account:
    ImportADUsersAndComputers.exe -setapipassword <ServerID> <new-password>

    NOTE: If the AD password contains special characters, enclose the password in double quotation marks (for example, "new_password")

  13. Execute the command

Integrations

To update the password(s) used to connect to data sources through integration packs or via custom integrations, follow this procedure:

  1. Open the Risk Fabric console
  2. Navigate to Admin > Integration > Data Sources
  3. From the Choose Data Source menu, select the integration to be updated (for example, Symantec Data Loss Prevention)
  4. If the data source is connected through an integration pack, select the contact card icon next to the server to be updated
  5. Follow the prompts in the Edit Connection Settings window to update the credentials of the data source connection
  6. If the data source is User Defined, right-click the datasource name and select Edit Data Source
  7. On the Create Data Source page, update the password used for the data source connection
  8. Repeat applicable steps 3 through 7 for each data source connection to be updated