Document toolboxDocument toolbox

14.1 spsecure

On This Page:

Background

With the release of ServiceScheduling 13.0.6, user passwords are stored securely in the ServiceScheduling database to protect user information.

It is no longer possible to authenticate against a user unless the user's sp083.AUTH_TYPE value is either SECURED or LDAP.

The passwords for existing users with an sp083.AUTH_TYPE value of INTERNAL, are upgraded to have the stored password hashed, and the sp083.AUTH_TYPE value changed to SECURED when the dbinstall utility is run as part of the upgrade process.

The dbinstall utility will also upgrade all user passwords in the sp430 table to be hashed as part of the upgrade process.

As always, it is recommended to backup the database before upgrading.

spsecure

The spsecure utility has been added to the ServiceScheduling bin directory.

This utility secures all user sp085 passwords where the AUTH_TYPE value is INTERNAL, and all passwords in sp430.

The tool is automatically run at the end of the dbinstall script.

The tool may also be run as a standalone binary if necessary, for example, where new users are directly inserted into the database using the deprecated INTERNAL authentication approach.

After upgrading to ServiceScheduling 13.0.6, there is no need to run the spsecure utility when users are created via the 14.1 Create User SOAP API or updated via the 14.1 Update User SOAP API.

These APIs will automatically store passwords in the new secure format.

Running the tool on a database where passwords have been already secured will have no effect.

Arguments

-d <databaseConnectionString>

  • The ServiceScheduling database connection string.

Functionality

  1. Select all passwords from sp085 with an AUTH_TYPE of INTERNAL and all un-hashed passwords in sp430.
  2. Assign a random salt, and hash the passwords.
  3. Insert the passwords back into the database, and set the AUTH_TYPE to SECURED in the sp083 table.