Skip to content

Password Management

This page gives an overview of the Raven Password Management service, describing its current status, where and how it's developed and deployed, and who is responsible for maintaining it.

Service Description

This services allows Raven account holders to manage their password. Changing of passwords can be performed via 'normal' login, self-service recovery or password reset tokens. These tokens may be issued by departmental or college administrators, or by University Information Services.

Self-service password recovery allows users to reset their password by configuring a recovery email address and/or mobile phone number and set up some security questions that will be used to prove their identity during password recovery.

Changed passwords are synchronised with a wide range of University systems, including Raven based websites, Exchange Online email, Hermes email and Desktop Services including the Managed Cluster Service (MCS).

A history of changes to passwords and recovery details is also visible to an authenticated user.

Service Status

The Raven Password Management service is currently live.

The intention is to move this service from UIS infrastructure VMs to a Google Cloud deployment but no timeline for this is currently set.

Contact

End-user support is provided by the Service Desk and User Admin.

Technical queries and support should be directed to the Service Desk and will be picked up by a member of the team working on the service. To ensure that you receive a response, always direct requests to servicedesk@uis.cam.ac.uk rather than reaching out to team members directly.

Issues discovered in the service or new feature requests should be opened as GitLab issues here.

Environments

The Password app is currently deployed to the following environments:

Name URL Supporting VMs
Production https://password.raven.cam.ac.uk/ raven-password-live1.srv.uis.private.cam.ac.uk
raven-password-live2.srv.uis.private.cam.ac.uk
passwordapp-live-db.srv.uis.private.cam.ac.uk
Test https://uis-tm-test.password.raven.cam.ac.uk/ raven-password-test1.srv.uis.private.cam.ac.uk
raven-password-test2.srv.uis.private.cam.ac.uk
devgroup-test-db.srv.uis.private.cam.ac.uk

The Traffic Manager load-balances web traffic to the supporting VMs, making use of sticky sessions to ensure that the relevant in-memory password-change queue is displayed to the user.

The test VMs have their own fake local password clients that act as black holes for all password changes. Any actions that require a password to be quoted on a test VM (not including the initial Raven logon) should quote the fake password stored in 1password.

Source code

The source code for the Password Management Application is stored in this Gitlab repository

Technologies used

The following gives an overview of the technologies the Password app is built on.

Category Language Framework(s)
Server Java+Groovy Grails
DB Postgres Moa

Operational documentation

The following gives an overview of how the Password app is deployed and maintained.

Taking a host out of service

Hosts can be taken out of service by creating a file /maintenance_mode which causes the monitor script to return an http 500 response code, which in turn causes the Traffic Manager to direct traffic elsewhere.

Deploying a new release

Deployed by running the Grails application deployment ansible after ensuring that the package_version group_var has been set to the correct version.

Monitoring

The Password app is monitored by the UIS infra-sas nagios service.

Sevices currently monitored:

  • ping - standard nagios ping check.
  • SSL - checks for a valid TLS certificate on port 8443.
  • https_devgroup - checks for a 200 response from the /adm/status page on port 8443.
  • disc-space - checks for at least 15% free disk space.

There is also a check for a vaild TLS certificate being served by the traffic manager for https://uis-tm.password.raven.cam.ac.uk

Debugging

The Password app cannot be run locally, and therefore the test instance should be used to trial changes and fixes.

Other operational documentation

End-user documentation: https://help.uis.cam.ac.uk/service/accounts-passwords

Description of the password strength checker: https://wiki.cam.ac.uk/uis/UIS_Password_Strength_Checker

The self-service password recovery flow: https://gitlab.developers.cam.ac.uk/uis/devops/raven/passwords/passwords/-/blob/master/doc/password-recovery.pdf

Service Management and tech lead

The service owner for the Password app is Vijay Samtani

The service manager for the Password app is currently vacant

The tech lead for the Password app is Robin Goodall

The following engineers have operational experience with the Password app and are able to respond to support requests or incidents: