ILLiad 9.0 FAQ

Follow

In this article, we will go over frequently asked questions pertaining to the ILLiad 9.0 update. 

General

Will there be full release notes available for ILLiad 9.0?

They are now available at https://support.atlas-sys.com/hc/en-us/articles/360011811474-ILLiad-9-0-Release-Notes 

Will my system automatically update to ILLiad 9.0 on release day?

No.  You can schedule your ILLiad server update with your hosting provider or your local server administrator (if self-hosted) for a time that works for you.

Is TLS 1.0 still required for ILLiad on the server?

It can be disabled without error.

What is FIPS? How is it enabled?

Federal Information Processing Standards are United States Government standards. It is enabled via Windows Group Policy.

If you need to utilize FIPS on your system after the update, you must update ALL passwords for staff members prior to activating it, or FIPS checking will prevent the system from running for the respective Staff user.

How does the new retry feature work for connection manager errors? When will it retry and how many times?

It will retry once after 15 seconds and will occur for all errors encountered when retrieving requests except when the error is due to an OCLC record not found or contains validation errors.

Why did the interface look change? 

The underlying components were updated and the ILLiad interface default “skin” was updated with a newer look closer to Office 2016.

Can I update from 8.6 to 8.7 or will I be required to update to 9.0?

You will need to update to ILLiad 9.0. The updater will bring down all the files available for you to update. There is no way to uncheck or exclude any updates in the updater.

Is this release compatible with DOCLINE 6.0? 

No, Atlas will need a point release for this.  We did not yet have access to a test server for the new DOCLINE system during ILLiad 9 development.

Do I need to be an administrator to update my client to ILLiad version 9.0? 

ILLiad 9.0 is a major release and will require right-clicking on the ILLiad client icon and selecting Run as Administrator after the server update for the automatic client update to start.

Password Enhancements

Staff Accounts

 Why is it necessary for all staff to change their passwords? 

To increase security, ILLiad’s basic authentication storage hash is updated to a more secure algorithm (default 156,000 iterations).  To make sure the passwords are stored in this new format, it is necessary to change them so the new password can be properly hashed and secured in the database.  It is a best practice for security to change passwords periodically. 

Do all staff users have to change their passwords upon login after ILLiad 9 update? Any way to disable that?

Yes, all staff will have to change their passwords. There is no way to disable that prior to the ILLiad 9 update.

If I change my password in the version 9.0 client, can I still login to 8.7?

Due to the change in password hashing, once a staff user has logged in to version 9.0 after the update, they will not be able to login to older client versions.  This means that if one staff user plans to update multiple client workstations, they should right-click the 8.7 client to login and start the automatic update  on each machine before logging in to ILLiad 9.0 after the client update completes.  If you experience errors because you have already changed your password in ILLiad 9.0 and need to update another client, the workaround is to download and install 9.0 client to bypass the client automatic updater.

Is making staff passwords expire an optional setting? Where is that set?

It is optional after the initial password change after ILLiad 9 update. You can change the options for these settings in the Customization Manager StaffPasswordExpirationEnabled and StaffPasswordExpirationDays (default 180 days) under System | Password Expiration.

Does the staff password change have to be a different password or can I just keep using the same password?

Yes, it has to be different than your last password.

How does ILLiad track the date the password was changed?

There is a new field called PasswordChangedDate in the Staff table and also in the Users table for patrons. 

If my staff/students use Web Circ only, will they have to change their passwords?

Yes.

Are there default password complexity settings already in place for the initial password change requirement?

Anything will work for current sites. New installations will have base web requirements

Criteria: (8 characters: 1 uppercase, 1 lowercase, 1 number)

Example: (?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$

Is it required to enforce password complexity? How is it set?

No, it is not required. It is set in Customization Manager under the StaffPasswordComplexity key. Staff Manager administrators will have the option to override password requirements when creating new staff accounts with initial passwords.

If I reset a staff password in staff manager, can I require the staff person to change the password on next login?

YES! There is a new checkbox that allows you to force reset on next login.

What happens if I try to login to Web Reports, Database Manager, or Billing Manager before I change my password after ILLiad 9 update?

Attempting to log in with an expired password will prompt you to log in to Client, Customization Manager, or Staff Manager to change your password. 

If I am updating the server from a previous version of ILLiad to ILLiad 9.0, can I stop at ILLiad 8.7?

No, unfortunately, there are no steps in the update that allow you to stop on a previous version.

After the update, do you have to log in to the Client before the Customization Manager?

Yes, because the Client will upgrade the Customization and Staff Manager to the latest version.

Patron Accounts

Do all patron users have to change their passwords upon login after ILLiad 9 update? Any way to disable that?

Yes, all patron users with ILLiad auth types of ILLiad, ILLiadExclusive, or PatronAPI will be required to reset their password upon the first login after ILLiad 9 update.

This does not affect RemoteAuth or LDAP users

There is no way to disable that prior to the ILLiad 9 update.

Why is it necessary for all patrons to change their passwords?

To increase security, ILLiad’s basic authentication storage hash is updated to a more secure algorithm (default 156,000 iterations).  To make sure the passwords are stored in this new format, it is necessary to change them so the new password can be properly hashed and secured in the database.  It is a best practice for security to change passwords periodically.

After changing passwords, will patrons still be able to see all of their history and current requests? Will we need to merge accounts?

The account is the same and all history will be there. It is just the password that gets updated.

What will it look like when patrons are prompted to change their passwords?

Patrons using basic auth will be directed to the main menu. See sample image below. 

PatronPasswordChange.JPG

Is making patron passwords expire an optional setting? Where is that set?

Yes making the patron passwords expire is optional. There are new Customization Manager keys called UserPasswordExpirationEnabled and UserPasswordExpirationDays under System | Password Expiration. It defaults to yes and 180 days but can be changed after update to ILLiad 9.

How does ILLiad track the date the password was changed?

There is a new Users table field called PasswordChangedDate that gets updated after a password change.

How will the patron be notified that their password is expired?

There are new Customization Manager keys called SLUserPasswordExpired and SLPasswordDoesNotMeetHistoryRequirements for web status lines that will display on the ChangePassword.html page. 

Since the ChangePassword form may now display immediately after a user logs in if a password change is required, you will want to enter the <#FORMSTATE> tag on the ChangePassword.html page to avoid losing session state & information transferring from source if entering ILLiad via OpenURL.

<form action="illiad.dll" method="post" name="ChangePassword" class="f-wrap-request">
<input type="hidden" name="ILLiadForm" value="ChangePassword">
<input type="hidden" name="Username" value="<#PARAM name='Username'>">
<input type="hidden" name="SessionID" value="<#PARAM name='SessionID'>">
<#FORMSTATE>
<div class="req"><b>*</b> Indicates required field</div>

Is it required to enforce password complexity? How is it set?

It is not required and has not changed, it still uses the WebValidation table.

Are there default password complexity settings already in place for the initial password change requirement?

It just uses your current WebValidation settings for the password field.

Are the has Algorithms different for each Authorization (Auth) type? How does ILLiad know what Auth type is being used?

Yes, the Auth type is encoded into the hash.

The Auth type is stored in the database record.

If I reset a patron password in the client, can I require them to change the password on next login?

YES! There is a new checkbox that allows you to force reset on next login.

What about the Lending Web? Will libraries who request from me via the lending web need to change their password too?

This feature will work the same as for patrons with new keys LWebPasswordExpirationEnabled & LWebPasswordExpirationDays. 

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.