#1 Global Leader in Data Resilience

How to Update NATS and PostgreSQL Passwords Used by Veeam Backup for Microsoft 365

KB ID: 4669
Product: Veeam Backup for Microsoft 365 | 8
Published: 2024-10-11
Last Modified: 2024-10-11
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article documents the procedures for updating the password Veeam Backup for Microsoft 365 uses to connect to the NATS server and that the Proxy uses to communicate with the database.

Solution

Expand the section below relevant to the password that has been changed:
How to Update NATS Server Password
Default Installed NATS Server

The instructions about changing the NATS server-side password assume that the NATS server in use is the one included and deployed by the Veeam Backup for Microsoft 365 installer.

For information about configuring Veeam Backup for Microsoft 365 to utilize a different existing NATS server after deployment,  skip to the "Update Veeam Backup for Microsoft 365 NATS Client Connection Settings" section, and update the hostname as well as the password.

The NATS server ensures communication between backup proxy servers that you group into a backup proxy pool. For more information about backup proxy pools, see Backup Proxy Pools. The NATS server uses the JetStream technology that provides message queuing and streaming capabilities. Veeam Backup for Microsoft 365 leverages this technology to create a set of streams that provide communication between the backup infrastructure components. For more information about JetStream, see this NATS article.
Requires Stopping All Jobs
The procedures below document changing both the NATS server-side password and the password Veeam Backup for Microsoft 365 uses to connect to NATS. This change will require restarting related services. For that reason, all jobs and restore operations must be stopped within Veeam Backup for Microsoft 365 before changes are made.

Password Restrictions

The following characters should not be used as part of the NATS server password:

  • @
  • <
  • >
  • '
  • "

Change NATS Server-Side Password

To ensure maximum security this method will demonstrate storing the password in bcrypt hash format within the NATS server configuration.

  1. Come up with or generate a new password.
  2. Convert that password to bcrypt hash format.
    Note: For example, using bcrypt.online
  3. Edit the NATS server configuration file: C:\ProgramData\NATS\nats-server.conf
  4. Find the line for password:
  5. Update the password hash value in quotes with the hash generated in Step 2.
  6. Save the file.
  7. Restart the nats-server service.
Procedure Note
Updating the client-side password procedure involves writing the password in plaintext into the configuration file and restarting the relevant Veeam Backup for Microsoft 365 service. As soon as the service starts, the service will encrypt the plaintext password, and that encrypted password value will be written to the file, overwriting the plaintext entry.

Update Veeam Backup for Microsoft 365 NATS Client Connection Settings

The connection settings must be updated in two different locations depending on the role of the component.

  • Veeam Backup for Microsoft 365 Server — C:\ProgramData\Veeam\Backup365\Config.xml
  • Veeam Backup for Microsoft 365 Proxy — C:\ProgramData\Veeam\Backup365\Proxy.xml

Review the sections below for component specific instructions.

 

Change NATS Server Connection Settings on Veeam Backup for Microsoft 365 Server
  1. Stop all Veeam Backup for Microsoft 365 services.
  2. Open the configuration XML file: C:\ProgramData\Veeam\Backup365\Config.xml
  3. Within the <Archiver> section, identify the line with the following pattern:
    <Server JetStreamConnectionString="nats://admin:<password>@<NATS-server-hostname>:4222?passwordEncrypted"
  4. Update the JetStreamConnectString as follows:
    1. Replace the encrypted password value with the plaintext password that will be used to connect to the NATS server.
    2. Remove ?passwordEncrypted located after the port number and before the quotation mark.
      • Example (Before):
        <Server JetStreamConnectionString="nats://admin:AQAAANCMnd8BFdERjHoAwE%2FCl%2BsBAAAARy%2Fvgmvm50WcOwqjnpZO1AQAAAACAAAAAAAQZgAAAAEAACAAAAA9CveKuONc5hEvEh5XSb47Nb9MzqkF65vaI0sXherMKQAAAAAOgAAAAAIAACAAAADbg1B7jbmeJe3Rm5Z0hc8HGEAe5av9%2BW4jthTn8IR0pDAAAAB6ynoaYEAC2bvtQK1w6CV%2FfeayQHFnRYpjo3oG%2ByNzBhj%2BDJq%2FKhjCWDxzBU0JaqJAAAAAmRau0bhhsXk5YZ3Nev668lcXuPdsHMjVjPBETFrYASY%2B66iLWwYX6MGJlUln4Rxg0Xstv0zLVvOqNPm0qEdVXQ%3D%3D@vb365srv:4222?passwordEncrypted"
        
        Note: The ending of this line has been truncated for this example.
      • Example (After):
        <Server JetStreamConnectionString="nats://admin:53kr37pa55vv0rd@vb365srv:4222"
        
        Note: The ending of this line has been truncated for this example.
  5. Start the Veeam Backup for Microsoft 365 Service service and check that the connection went through properly and that it was able to create the necessary streams.
  6. Review the next section and update the NATS connection settings for all proxies, including the proxy on the Veeam Backup for Microsoft 365 server.

 

Change NATS Server Connection Settings on Veeam Backup for Microsoft 365 Proxy

Review and perform the following steps on all proxies:

  1. Stop all Veeam Backup for Microsoft 365 services.
  2. Open the configuration XML file: C:\ProgramData\Veeam\Backup365\Proxy.xml
  3. Within the <Archiver> section, identify the line with the following pattern:
    <Proxy JetStreamConnectionString="nats://admin:<password>@<NATS-server-hostname>:4222?passwordEncrypted"
  4. Update the JetStreamConnectString as follows:
    1. Replace the encrypted password value with the plaintext password that will be used to connect to the NATS server.
    2. Remove ?passwordEncrypted located after the port number and before the quotation mark.
      • Example (Before):
        <Proxy JetStreamConnectionString="nats://admin:AQAAANCMnd8BFdERjHoAwE%2FCl%2BsBAAAARy%2Fvgmvm50WcOwqjnpZO1AQAAAACAAAAAAAQZgAAAAEAACAAAAA9CveKuONc5hEvEh5XSb47Nb9MzqkF65vaI0sXherMKQAAAAAOgAAAAAIAACAAAADbg1B7jbmeJe3Rm5Z0hc8HGEAe5av9%2BW4jthTn8IR0pDAAAAB6ynoaYEAC2bvtQK1w6CV%2FfeayQHFnRYpjo3oG%2ByNzBhj%2BDJq%2FKhjCWDxzBU0JaqJAAAAAmRau0bhhsXk5YZ3Nev668lcXuPdsHMjVjPBETFrYASY%2B66iLWwYX6MGJlUln4Rxg0Xstv0zLVvOqNPm0qEdVXQ%3D%3D@vb365srv:4222?passwordEncrypted"
        
        Note: The ending of this line has been truncated for this example.
      • Example (After):
        <Proxy JetStreamConnectionString="nats://admin:53kr37pa55vv0rd@vb365srv:4222"
        
        Note: The ending of this line has been truncated for this example.
  5. Start the all Veeam Backup for Microsoft 365 services.
How to Update Veeam Backup for Microsoft 365 PostgreSQL Connection Settings

Veeam Backup for Microsoft 365 utilizes two types of databases:

  • Configuration Database to store the Veeam Backup for Microsoft 365 configuration.
  • Data Caching Databases for each repository.

The Veeam Backup for Microsoft 365 software uses administrative credentials to create and connect to the Configuration Database, whereas the proxy servers operate differently. After creating the Configuration Database, roles are established within the PostgreSQL instance with the name proxy_dbuser_<config_db_name>, and read-only access is granted for specific tables within the Configuration Database. For example, the default Configuration Database name is “VeeamBackup365”; therefore, the read-only role will be named “proxy_dbuser_veeambackup365”.

user example
Example

The administrator provides the username and password during installation for generating the Configuration Database. During the installation, the username and password for the read-only role are created, and that account information is secured in the configuration files in an encrypted format.

When the password for the user utilized by Veeam Backup for Microsoft 365 to connect to the Configuration Database is changed, it must be updated in the configuration files.

Password Restrictions

The following characters should not be used as part of the PostgreSQL user's password:

  • @
  • <
  • >
  • '
  • "
Procedure Note
Updating the client-side password procedure involves writing the password in plaintext into the configuration file and restarting the relevant Veeam Backup for Microsoft 365 service. As soon as the service starts, the service will encrypt the plaintext password, and that encrypted password value will be written to the file, overwriting the plaintext entry.

Update PostgreSQL Configuration Database Connection Details

  1. On the Veeam Backup for Microsoft 365 server, open the configuration file in a text editor:
    C:\ProgramData\Veeam\Backup365\Config.xml
  2. Within the <Archiver> section, identify the line with the following pattern:
        <ControllerPostgres ControllerConnectionString="host=<hostname>;port=5432;database=<config_db_name>;username=postgres;password=<encrypted_password>;passwordencrypted=True;MaxPoolSize=100;ConnectionIdleLifetime=10" />
  3. Update the ControllerConnectionString as follows:
    1. Replace the encrypted password value with the plaintext password that will be used to connect to the Configuration Database.
    2. Remove ;passwordencrypted=True parameter.
      • Example (Before):
        <ControllerPostgres ControllerConnectionString="host=vb365srv;port=5432;database=VeeamBackup365;username=postgres;password=AQAAANCMnd8BFdERjHoAwE%2FCl%2BsBAAAARy%2Fvgmvm50WcOwqjnpZO1AQAAAACAAAAAAAQZgAAAAEAACAAAADQngLZF6xhXmUoY2ntShya0r4MmMZC8qhn4oeTs7eRXQAAAAAOgAAAAAIAACAAAAADc0FIuyQyE45qlTITlQru0UG0pnTWhHRDmfAMWH64YxAAAACkHVqiKuTRXGbVA5WJR8c8QAAAAD5nomp8vuxg2DpCJIFIFhaPRZlbMCwJts%2FVq1rUP8HHCOmaJFTUWDn1kaLoAVb9B1CWXAsHR5LHaSbWx3isMzo%3D;maxpoolsize=100;connectionidlelifetime=10;PasswordEncrypted=True" />
        
      • Example (After):
        <ControllerPostgres ControllerConnectionString="host=vb365srv;port=5432;database=VeeamBackup365;username=postgres;password=53kr37pa55vv0rd;maxpoolsize=100;connectionidlelifetime=10; />
        
  4. Restart the Veeam Backup for Microsoft 365 Service service; the password in the file will be automatically encrypted, and the software will regain database access.

Update Read Only User Account Used by Proxies

When the password for the proxy_dbuser_<config_db_name> user has been changed, the new password must be updated in multiple locations. The methodology is the same as updating the configuration database password: replace the encrypted password value with the new password in plaintext, remove the 'PasswordEncrypted=True' parameter, and restart the services.

 

Update Password Distributed by Veeam Backup for Microsoft 365 to New Proxies

The Config.xmlC:\ProgramData\Veeam\Backup365\Config.xml file on the Veeam Backup for Microsoft 365 server stores the connection string used when deploying new proxies and must be updated to ensure those future proxies have the correct credentials to access the database.

  1. On the Veeam Backup for Microsoft 365 server, open: C:\ProgramData\Veeam\Backup365\Config.xml
  2. Within the config.xml file, find the line that starts with: <RemoteProxyDeploymentSettings
  3. Update the ControllerConnectionStringForProxy settings as follows:
    1. For each password= parameter on that line, replace the encrypted password value with the new password in plaintext.
    2. Find each instance of ;PasswordEncrypted=True on that line, and remove them.
  4. Restart the Veeam Backup for Microsoft 365 Service.
    During the next startup of the service, the plaintext passwords in the Config.xml will be encrypted and replaced with that encrypted value.

 

Update the Password Used by the Existing Proxies

The Proxy.xmlC:\ProgramData\Veeam\Backup365\Proxy.xml on each proxy stores the connection information to access the configuration database. This value is only pushed out to the proxy during initial deployment. As such, after a password change for the proxy_dbuser_<config_db_name> user, the credentials within the Proxy.xml file must be manually updated on each existing proxy.

On each Proxy server, do the following:

  1. Open: C:\ProgramData\Veeam\Backup365\Proxy.xml
  2. Within the Proxy.xml file, find the two lines that start with:
    • <ProxyPostgres
    • <PersistentCachePostgres
  3. Within those lines, update the Connection Strings as follows:
    1. Find the password= parameter and replace the encrypted password value with the new password in plaintext.
    2. Remove the ;PasswordEncrypted=True parameter.
  4. Restart the Veeam Backup for Microsoft 365 Proxy Service.
    During the next startup of the service, the plaintext passwords in the Proxy.xml will be encrypted and replaced with that encrypted value.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.