How to Update NATS and PostgreSQL Passwords Used by Veeam Backup for Microsoft 365
Purpose
Solution
How to Update NATS Server Password
The instructions about changing the NATS server-side password assume that the NATS server in use is the one included and deployed by the Veeam Backup for Microsoft 365 installer.
For information about configuring Veeam Backup for Microsoft 365 to utilize a different existing NATS server after deployment, skip to the "Update Veeam Backup for Microsoft 365 NATS Client Connection Settings" section, and update the hostname as well as the password.
Password Restrictions
The following characters should not be used as part of the NATS server password:
- @
- <
- >
- '
- "
Change NATS Server-Side Password
To ensure maximum security this method will demonstrate storing the password in bcrypt hash format within the NATS server configuration.
- Come up with or generate a new password.
- Convert that password to bcrypt hash format.
Note: For example, using bcrypt.online - Edit the NATS server configuration file: C:\ProgramData\NATS\nats-server.conf
- Find the line for password:
- Update the password hash value in quotes with the hash generated in Step 2.
- Save the file.
- Restart the nats-server service.
Update Veeam Backup for Microsoft 365 NATS Client Connection Settings
The connection settings must be updated in two different locations depending on the role of the component.
- Veeam Backup for Microsoft 365 Server — C:\ProgramData\Veeam\Backup365\Config.xml
- Veeam Backup for Microsoft 365 Proxy — C:\ProgramData\Veeam\Backup365\Proxy.xml
Review the sections below for component specific instructions.
Change NATS Server Connection Settings on Veeam Backup for Microsoft 365 Server
- Stop all Veeam Backup for Microsoft 365 services.
- Open the configuration XML file: C:\ProgramData\Veeam\Backup365\Config.xml
- Within the <Archiver> section, identify the line with the following pattern:
<Server JetStreamConnectionString="nats://admin:<password>@<NATS-server-hostname>:4222?passwordEncrypted" - Update the JetStreamConnectString as follows:
- Replace the encrypted password value with the plaintext password that will be used to connect to the NATS server.
- Remove ?passwordEncrypted located after the port number and before the quotation mark.
- Example (Before):
<Server JetStreamConnectionString="nats://admin:AQAAANCMnd8BFdERjHoAwE%2FCl%2BsBAAAARy%2Fvgmvm50WcOwqjnpZO1AQAAAACAAAAAAAQZgAAAAEAACAAAAA9CveKuONc5hEvEh5XSb47Nb9MzqkF65vaI0sXherMKQAAAAAOgAAAAAIAACAAAADbg1B7jbmeJe3Rm5Z0hc8HGEAe5av9%2BW4jthTn8IR0pDAAAAB6ynoaYEAC2bvtQK1w6CV%2FfeayQHFnRYpjo3oG%2ByNzBhj%2BDJq%2FKhjCWDxzBU0JaqJAAAAAmRau0bhhsXk5YZ3Nev668lcXuPdsHMjVjPBETFrYASY%2B66iLWwYX6MGJlUln4Rxg0Xstv0zLVvOqNPm0qEdVXQ%3D%3D@vb365srv:4222?passwordEncrypted"
Note: The ending of this line has been truncated for this example. - Example (After):
<Server JetStreamConnectionString="nats://admin:53kr37pa55vv0rd@vb365srv:4222"
Note: The ending of this line has been truncated for this example.
- Example (Before):
- Start the Veeam Backup for Microsoft 365 Service service and check that the connection went through properly and that it was able to create the necessary streams.
- Review the next section and update the NATS connection settings for all proxies, including the proxy on the Veeam Backup for Microsoft 365 server.
Change NATS Server Connection Settings on Veeam Backup for Microsoft 365 Proxy
Review and perform the following steps on all proxies:
- Stop all Veeam Backup for Microsoft 365 services.
- Open the configuration XML file: C:\ProgramData\Veeam\Backup365\Proxy.xml
- Within the <Archiver> section, identify the line with the following pattern:
<Proxy JetStreamConnectionString="nats://admin:<password>@<NATS-server-hostname>:4222?passwordEncrypted" - Update the JetStreamConnectString as follows:
- Replace the encrypted password value with the plaintext password that will be used to connect to the NATS server.
- Remove ?passwordEncrypted located after the port number and before the quotation mark.
- Example (Before):
<Proxy JetStreamConnectionString="nats://admin:AQAAANCMnd8BFdERjHoAwE%2FCl%2BsBAAAARy%2Fvgmvm50WcOwqjnpZO1AQAAAACAAAAAAAQZgAAAAEAACAAAAA9CveKuONc5hEvEh5XSb47Nb9MzqkF65vaI0sXherMKQAAAAAOgAAAAAIAACAAAADbg1B7jbmeJe3Rm5Z0hc8HGEAe5av9%2BW4jthTn8IR0pDAAAAB6ynoaYEAC2bvtQK1w6CV%2FfeayQHFnRYpjo3oG%2ByNzBhj%2BDJq%2FKhjCWDxzBU0JaqJAAAAAmRau0bhhsXk5YZ3Nev668lcXuPdsHMjVjPBETFrYASY%2B66iLWwYX6MGJlUln4Rxg0Xstv0zLVvOqNPm0qEdVXQ%3D%3D@vb365srv:4222?passwordEncrypted"
Note: The ending of this line has been truncated for this example. - Example (After):
<Proxy JetStreamConnectionString="nats://admin:53kr37pa55vv0rd@vb365srv:4222"
Note: The ending of this line has been truncated for this example.
- Example (Before):
- Start the all Veeam Backup for Microsoft 365 services.
How to Update Veeam Backup for Microsoft 365 PostgreSQL Connection Settings
Veeam Backup for Microsoft 365 utilizes two types of databases:
- Configuration Database to store the Veeam Backup for Microsoft 365 configuration.
- Data Caching Databases for each repository.
The Veeam Backup for Microsoft 365 software uses administrative credentials to create and connect to the Configuration Database, whereas the proxy servers operate differently. After creating the Configuration Database, roles are established within the PostgreSQL instance with the name proxy_dbuser_<config_db_name>, and read-only access is granted for specific tables within the Configuration Database. For example, the default Configuration Database name is “VeeamBackup365”; therefore, the read-only role will be named “proxy_dbuser_veeambackup365”.
The administrator provides the username and password during installation for generating the Configuration Database. During the installation, the username and password for the read-only role are created, and that account information is secured in the configuration files in an encrypted format.
When the password for the user utilized by Veeam Backup for Microsoft 365 to connect to the Configuration Database is changed, it must be updated in the configuration files.
Password Restrictions
The following characters should not be used as part of the PostgreSQL user's password:
- @
- <
- >
- '
- "
Update PostgreSQL Configuration Database Connection Details
- On the Veeam Backup for Microsoft 365 server, open the configuration file in a text editor:
C:\ProgramData\Veeam\Backup365\Config.xml - Within the <Archiver> section, identify the line with the following pattern:
<ControllerPostgres ControllerConnectionString="host=<hostname>;port=5432;database=<config_db_name>;username=postgres;password=<encrypted_password>;passwordencrypted=True;MaxPoolSize=100;ConnectionIdleLifetime=10" /> - Update the ControllerConnectionString as follows:
- Replace the encrypted password value with the plaintext password that will be used to connect to the Configuration Database.
- Remove ;passwordencrypted=True parameter.
- Example (Before):
<ControllerPostgres ControllerConnectionString="host=vb365srv;port=5432;database=VeeamBackup365;username=postgres;password=AQAAANCMnd8BFdERjHoAwE%2FCl%2BsBAAAARy%2Fvgmvm50WcOwqjnpZO1AQAAAACAAAAAAAQZgAAAAEAACAAAADQngLZF6xhXmUoY2ntShya0r4MmMZC8qhn4oeTs7eRXQAAAAAOgAAAAAIAACAAAAADc0FIuyQyE45qlTITlQru0UG0pnTWhHRDmfAMWH64YxAAAACkHVqiKuTRXGbVA5WJR8c8QAAAAD5nomp8vuxg2DpCJIFIFhaPRZlbMCwJts%2FVq1rUP8HHCOmaJFTUWDn1kaLoAVb9B1CWXAsHR5LHaSbWx3isMzo%3D;maxpoolsize=100;connectionidlelifetime=10;PasswordEncrypted=True" />
- Example (After):
<ControllerPostgres ControllerConnectionString="host=vb365srv;port=5432;database=VeeamBackup365;username=postgres;password=53kr37pa55vv0rd;maxpoolsize=100;connectionidlelifetime=10; />
- Example (Before):
- Restart the Veeam Backup for Microsoft 365 Service service; the password in the file will be automatically encrypted, and the software will regain database access.
Update Read Only User Account Used by Proxies
When the password for the proxy_dbuser_<config_db_name> user has been changed, the new password must be updated in multiple locations. The methodology is the same as updating the configuration database password: replace the encrypted password value with the new password in plaintext, remove the 'PasswordEncrypted=True' parameter, and restart the services.
Update Password Distributed by Veeam Backup for Microsoft 365 to New Proxies
The Config.xmlC:\ProgramData\Veeam\Backup365\Config.xml file on the Veeam Backup for Microsoft 365 server stores the connection string used when deploying new proxies and must be updated to ensure those future proxies have the correct credentials to access the database.
- On the Veeam Backup for Microsoft 365 server, open: C:\ProgramData\Veeam\Backup365\Config.xml
- Within the config.xml file, find the line that starts with: <RemoteProxyDeploymentSettings
- Update the ControllerConnectionStringForProxy settings as follows:
- For each password= parameter on that line, replace the encrypted password value with the new password in plaintext.
- Find each instance of ;PasswordEncrypted=True on that line, and remove them.
- Restart the Veeam Backup for Microsoft 365 Service.
During the next startup of the service, the plaintext passwords in the Config.xml will be encrypted and replaced with that encrypted value.
Update the Password Used by the Existing Proxies
The Proxy.xmlC:\ProgramData\Veeam\Backup365\Proxy.xml on each proxy stores the connection information to access the configuration database. This value is only pushed out to the proxy during initial deployment. As such, after a password change for the proxy_dbuser_<config_db_name> user, the credentials within the Proxy.xml file must be manually updated on each existing proxy.
On each Proxy server, do the following:
- Open: C:\ProgramData\Veeam\Backup365\Proxy.xml
- Within the Proxy.xml file, find the two lines that start with:
- <ProxyPostgres
- <PersistentCachePostgres
- Within those lines, update the Connection Strings as follows:
- Find the password= parameter and replace the encrypted password value with the new password in plaintext.
- Remove the ;PasswordEncrypted=True parameter.
- Restart the Veeam Backup for Microsoft 365 Proxy Service.
During the next startup of the service, the plaintext passwords in the Proxy.xml will be encrypted and replaced with that encrypted value.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.