spsecure
- Matthew Wren
On This Page:
Background
With the release of ServiceScheduling 13.0.6, user passwords are stored securely in the ServiceScheduling database to protect user information.
It is no longer possible to authenticate against a user unless the user's sp083.AUTH_TYPE value is either SECURED or LDAP.
The passwords for existing users with an sp083.AUTH_TYPE value of INTERNAL, are upgraded to have the stored password hashed, and the sp083.AUTH_TYPE value changed to SECURED when the dbinstall utility is run as part of the upgrade process.
The dbinstall utility will also upgrade all user passwords in the sp430 table to be hashed as part of the upgrade process.
As always, it is recommended to backup the database before upgrading.
spsecure
The spsecure utility has been added to the ServiceScheduling bin directory.
This utility secures all user sp085 passwords where the AUTH_TYPE value is INTERNAL, and all passwords in sp430.
The tool is automatically run at the end of the dbinstall script.
The tool may also be run as a standalone binary if necessary, for example, where new users are directly inserted into the database using the deprecated INTERNAL authentication approach.
After upgrading to ServiceScheduling 13.0.6, there is no need to run the spsecure utility when users are created via the Create User SOAP API or updated via the Update User SOAP API.
These APIs will automatically store passwords in the new secure format.
Running the tool on a database where passwords have been already secured will have no effect.
Arguments
-d <databaseConnectionString>
- The ServiceScheduling database connection string.
Functionality
- Select all passwords from
sp085Â with anÂAUTH_TYPEofINTERNALand all un-hashed passwords insp430. - Assign a random salt, and hash the passwords.
- Insert the passwords back into the database, and set theÂ
AUTH_TYPEtoSECUREDin thesp083table.