From 0998c1564f2fddcae4d7840019a824113cb0bfde Mon Sep 17 00:00:00 2001
From: KBbitsP <75751774+KBbitsP@users.noreply.github.com>
Date: Fri, 10 Nov 2023 22:38:49 +0530
Subject: [PATCH] Added the steps to update shiroNbHashIterations

Added the steps to update shiroNbHashIterations
---
 userguide/platform/userguide_deployment.adoc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/userguide/platform/userguide_deployment.adoc b/userguide/platform/userguide_deployment.adoc
index 0155c45af..6086b0d1e 100644
--- a/userguide/platform/userguide_deployment.adoc
+++ b/userguide/platform/userguide_deployment.adoc
@@ -30,7 +30,10 @@ Kill Bill is fundamentally a backend system, so the following considerations sho
 ----
 
 * Make sure the servers have enough entropy: `/proc/sys/kernel/random/entropy_avail` should be > 3k (otherwise install `haveged` / `rng-tools`). Kill Bill should also be started with `-Djava.security.egd=file:/dev/./urandom`.
-* Adjust `org.killbill.security.shiroNbHashIterations` as needed. This setting configures the number of iterations run to hash API secrets and user passwords. The default value is high for security reasons, but can be adjusted down if required (e.g. for Docker `-e KILLBILL_SECURITY_SHIRO_NB_HASH_ITERATIONS=1`) as this can have a significant performance impact. Note that changing the value requires re-hashing manually all tenants secrets and user passwords.
+* Adjust `org.killbill.security.shiroNbHashIterations` as needed. This setting configures the number of iterations run to hash API secrets and user passwords. The default value is high for security reasons, but can be adjusted down if required (e.g. for Docker `-e KILLBILL_SECURITY_SHIRO_NB_HASH_ITERATIONS=1`) as this can have a significant performance impact. 
+
+In order to change this value OR to rotate the keys, manual re-hashing of all tenants secrets and user passwords is required. To achieve this, specify the target value of the property in the configuration ( not required in case of rotating the keys ). Then create a new tenant with same config ( OR with the new key in case of rotating the keys ) in the test environment. This will now create the required values in the table `tenants` for the columns api_key, api_secret and api_salt, that need to be copied over to replace the corresponding values in the Production database. Make sure to restart each node OR alternatively to invalidate the caches after the update.
+
 * Make sure your database and queues configuration are adequate: the `bus_events` table should almost always be empty and the `notifications` table should never have any `AVAILABLE` entry with an effective date in the past. Otherwise, in both cases, the system will be late (invoices not generated, etc.). These two metrics should always be monitored in production (potentially a paging event).
 * Verify the integration with your payment gateway(s): very few payment transactions (if any) should be in an `UNKNOWN` state. Make sure to fix these manually via the Payment Admin API, if the plugin is unable to do it automatically.
 * Have a monitoring system in place (we recommend https://github.com/killbill/killbill-cloud/tree/master/docker/compose[Elasticseach, Logstash, Kibana, InfluxDB and Grafana], which can be easily setup for Kill Bill) and watch your logs constantly: any `WARN` or `ERROR` entry should be reviewed, as well as stacktraces.