From 2e3689583d21f320d69c5f33049047e5c91e627b Mon Sep 17 00:00:00 2001
From: Bill Erickson <berickxx@gmail.com>
Date: Mon, 23 Nov 2015 13:22:37 -0500
Subject: [PATCH] LP#1468422 Password storage release notes

Signed-off-by: Bill Erickson <berickxx@gmail.com>
Signed-off-by: Dan Wells <dbw2@calvin.edu>
---
 .../password-storage.lp1468422.adoc           | 95 +++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 docs/RELEASE_NOTES_NEXT/Administration/password-storage.lp1468422.adoc

diff --git a/docs/RELEASE_NOTES_NEXT/Administration/password-storage.lp1468422.adoc b/docs/RELEASE_NOTES_NEXT/Administration/password-storage.lp1468422.adoc
new file mode 100644
index 0000000000..01b9ae363a
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Administration/password-storage.lp1468422.adoc
@@ -0,0 +1,95 @@
+Improved Password Management and Authentication
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Evergreen user passwords are now stored with additional layers of 
+encryption and may only be accessed directly by the database, not
+the application layer.
+
+All API changes are backwards compatible with existing 3rd-party
+clients.
+
+open-ils.auth_internal
+++++++++++++++++++++++
+To support the new storage mechanism, a new Evergreen service has
+been added called "open-ils.auth_internal".  This service runs on
+the private OpenSRF/XMPP domain and is used to store authenticated 
+user data in the authentication cache.  
+
+This is a required service and changes to opensrf.xml (typically 
+/openils/conf/opensrf.xml) are needed to run the new service.
+
+.Modifying opensrf.xml
+* A new <open-ils.auth_internal> app stanza is added to define the 
+  new service
+* Cache timeout settings are moved from the app stanza for open-ils.auth
+  into open-ils.auth_internal
+* open-ils.auth_internal is added to the set of running services for the 
+  domain.
+
+Example diff:
+
+[source,diff]
+---------------------------------------------------------------------
+diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
+index 3b47481..59f737a 100644
+--- a/Open-ILS/examples/opensrf.xml.example
++++ b/Open-ILS/examples/opensrf.xml.example
+@@ -424,6 +424,29 @@ vim:et:ts=4:sw=4:
+                 </unix_config>
+                 <app_settings>
+                     <!-- defined app-specific settings here -->
++                    <auth_limits>
++                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
++                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
++                        <block_count>10</block_count> <!-- number of failures before blocking access -->
++                    </auth_limits>
++                </app_settings>
++            </open-ils.auth>
++
++            <!-- Internal authentication server -->
++            <open-ils.auth_internal>
++                <keepalive>5</keepalive>
++                <stateless>1</stateless>
++                <language>c</language>
++                <implementation>oils_auth_internal.so</implementation>
++                <unix_config>
++                    <max_requests>1000</max_requests>
++                    <min_children>1</min_children>
++                    <max_children>15</max_children>
++                    <min_spare_children>1</min_spare_children>
++                    <max_spare_children>5</max_spare_children>
++                </unix_config>
++                <app_settings>
++                    <!-- defined app-specific settings here -->
+                     <default_timeout>
+                         <!-- default login timeouts based on login type -->
+                         <opac>420</opac>
+@@ -431,13 +454,10 @@ vim:et:ts=4:sw=4:
+                         <temp>300</temp>
+                         <persist>2 weeks</persist>
+                     </default_timeout>
+-                    <auth_limits>
+-                        <seed>30</seed> <!-- amount of time a seed request is valid for -->
+-                        <block_time>90</block_time> <!-- amount of time since last auth or seed request to save failure counts -->
+-                        <block_count>10</block_count> <!-- number of failures before blocking access -->
+-                    </auth_limits>
+                 </app_settings>
+-            </open-ils.auth>
++            </open-ils.auth_internal>
++
++
+ 
+             <!-- Authentication proxy server -->
+             <open-ils.auth_proxy>
+@@ -1177,6 +1197,7 @@ vim:et:ts=4:sw=4:
+                 <appname>open-ils.circ</appname> 
+                 <appname>open-ils.actor</appname> 
+                 <appname>open-ils.auth</appname> 
++                <appname>open-ils.auth_internal</appname>
+                 <appname>open-ils.auth_proxy</appname> 
+                 <appname>open-ils.storage</appname>  
+                 <appname>open-ils.justintime</appname>  
+---------------------------------------------------------------------
+
+
+
+
-- 
2.43.2