This is documentation for Apprenda 7 and 8.
Documentation for newer version is available at https://new.docs.apprenda.com.

Service Account Password Management

This page provides an overview of steps for managing service account credentials on the Apprenda Cloud Platform (version 7.1.0 and later).

Planning to change credentials

Before you begin updating a service account, it is important to plan, coordinate, and practice both planned and unplanned credential rotation with all necessary stakeholders before making the change in a production environment.

In addition to planning, you should configure your Platform to be highly available while you update credentials, and understand how to preform account updates without application downtime.

Configuring for High Availability

It is recommended for larger environments that there are a minimum of 2 dedicated Windows hosts for Apprenda Cloud Platform applications. It is also a best practice to have a minimum instance count of 2 or higher for all components of the following Apprenda Cloud Platform applications:

  • Developer Portal
  • Account Portal
  • SOC
  • Authentication Services

Learn how to deployed additional application instances to your Platform through the Applications page in SOC.

Avoiding Downtime

Avoid application downtime during a password change by placing a server into the Maintenance state. This will cause your Platform to redistribute the server's workloads to other acceptable servers and remove the server from future deployment strategies. A server in Maintenance will have no workloads hosted on it and will not be considered by your Platform for new workload deployments.

By to putting a node into Maintenance, you can update all workloads with the new password. Once the server goes into ‘maintenance’ the Platform will essentially restart those services on available nodes using the new credentials.

NOTE: Restarting the nodes themselves manually without using the Maintenance state will also cause the workloads running on that server to restart and use the updated credentials. This method is not recommended and will involve downtime for all applications running on the servers you restart.

ACP Admin Account Credentials

The ACP Admin account is initially added during install based on information you provided in the Platform Installer. This account is used for most Platform WCF Services except for the Federation Service and UI Manager. As a result, the Admin account is only ever running on Platform Web, Application, and Federation Gateway nodes.

You can update the credentials for this account at any point during Platform runtime. Before changing ACP Admin account credentials (usually as a planned operation), you should verify that the Platform and guest applications are in a healthy state by authenticating to the Account Portal, Developer Portal and SOC and deploying a application to your Platform.

Start to change credentials by updating the Admin account in your enterprise Directory Service. Then navigate to the SOC to configure the Admin account on your Platform to reflect the new credentials.

  1. Update the following Platform Registry Settings:

    • SystemAdministratorDomain
    • SystemAdministratorPassword
    • SystemAdministratorUsername
  2. From the Applications page in the SOC: (Note: This step is only necessary for Service Level components (or WCF Services), and not necessary for .NET User Interfaces or Databases.)
    1. For each application published by Apprenda, Inc on a specific node, access the Service Level Options. To access these options, click on the version link for the application and access its components.
    2. Click on the arrow on the right side of the screen and select Edit Service Level Options.
    3. Change the account to the desired credentials and click Save.
    4. Repeat for all Apprenda applications on that node, put the node into Maintenance Mode (or restart the node if downtime is acceptable). Make sure that the second to last application removed (system wide) is the Application Catalog and lastly the Router.
    5. Move on to the next node and repeat the steps again.

Once completed for all servers, all WCF services that are running as the ACP Admin account should be running under the new credentials.

Guest Applications Service Account Credentials (Windows)

The ACP allows guest applications to run as unique service accounts as well to support workload isolation and authentication to external data center resources. While the Platform can run guest application workloads as default service accounts using the Platform Registry, this configuration is not recommended.

Platform Operators can always view and update user account credential settings for .NET UI, WCF service, and Windows service components through the SOC Applications page following the same steps as above with the ACP Admin account:

From the Applications page in the SOC:

  1. For each application on a specific node, access the Service Level Options. To access these options, click on the version link for the application and access its components.
  2. Click on the arrow on the right side of the screen and select Edit Service Level Options.
  3. Change the account to the desired credentials and click Save.
  4. Repeat for all Apprenda applications on that node and put the node into Maintenance Mode (or restart the node if downtime is acceptable).
  5. Move on to the next node and repeat the steps again for application component credentials that need to be changed.

AD FS password changes

If you are using AD FS with your Platform, the password for the Service Account (for all versions) and Application Pool (if prior to AD FS 3.0) will need to be updated separate to the Platform.

  1. RDP into the hosts running AD FS
  2. Launch the Services view
  3. Right click on the AD FS Service and click on properties
  4. Click on the "Log On" tab
  5. Update the password fields
  6. Accept, and Start the AD FS Service

Note: AD FS is no longer supported on new Platform installations of Platform version 8.2.0 and will not be supported on later Platform versions.