This page provides an overview of steps for managing service account credentials on the Apprenda Cloud Platform (version 7.1.0 and later).
Before you begin updating a service account, it is important to plan, coordinate, and practice both planned and unplanned credential rotation with all necessary stakeholders before making the change in a production environment.
In addition to planning, you should configure your Platform to be highly available while you update credentials, and understand how to preform account updates without application downtime.
It is recommended for larger environments that there are a minimum of 2 dedicated Windows hosts for Apprenda Cloud Platform applications. It is also a best practice to have a minimum instance count of 2 or higher for all components of the following Apprenda Cloud Platform applications:
Learn how to deployed additional application instances to your Platform through the Applications page in SOC.
Avoid application downtime during a password change by placing a server into the Maintenance state. This will cause your Platform to redistribute the server’s workloads to other acceptable servers and remove the server from future deployment strategies. A server in Maintenance will have no workloads hosted on it and will not be considered by your Platform for new workload deployments.
By to putting a node into Maintenance, you can update all workloads with the new password. Once the server goes into ‘maintenance’ the Platform will essentially restart those services on available nodes using the new credentials.
NOTE: Restarting the nodes themselves manually without using the Maintenance state will also cause the workloads running on that server to restart and use the updated credentials. This method is not recommended and will involve downtime for all applications running on the servers you restart.
The ACP Admin account is initially added during installation based on information you provided in the Platform Installer. This account is used for most Platform WCF Services except for the Federation Service and UI Manager. As a result, the Admin account is only ever running on Platform Web, Application, and Federation Gateway nodes. You can update the credentials for this account at any point after install.
Before changing ACP Admin account credentials (usually as a planned operation), you should verify that Platform and guest applications are in a healthy state by authenticating (using the admin credentials) to the Account Portal, Developer Portal and SOC and deploying a application to your Platform.
Update the Admin account in your enterprise Directory Service. Then navigate to the SOC to configure the Admin account on your Platform to reflect the new credentials.
Once step 3 is completed for all servers, all WCF services that are running as the ACP Admin account should be running under the new credentials.
The ACP allows guest applications to run as unique service accounts as well to support workload isolation and authentication to external data center resources. While the Platform can run guest application workloads as default service accounts using the Platform Registry, this configuration is not recommended.
Platform Operators can always view and update user account credential settings for .NET UI, WCF service, and Windows service components through the SOC Applications page following the same steps as above with the ACP Admin account:
From the Applications page in the SOC:
If you are using AD FS with your Platform, the password for the Service Account (for all versions) and Application Pool (if prior to AD FS 3.0) will need to be updated separate to the Platform.
Note: AD FS is no longer supported on new Platform installations of Platform version 8.2.0 and will not be supported on later Platform versions.