From 29471b6becf016b5eb8c8cc77a6e80b163307e1f Mon Sep 17 00:00:00 2001
From: Steve Renaker <steve.renaker@mongodb.com>
Date: Fri, 1 Dec 2017 11:29:13 -0500
Subject: [PATCH] DOCS-10448: KeysRotationIntervalSec server parameter

---
 source/reference/parameters.txt | 15 +++++++++++++++
 source/release-notes/3.6.txt    |  5 +++++
 2 files changed, 20 insertions(+)

diff --git a/source/reference/parameters.txt b/source/reference/parameters.txt
index 92a5b1f0c42..639c6878686 100644
--- a/source/reference/parameters.txt
+++ b/source/reference/parameters.txt
@@ -131,6 +131,21 @@ Authentication Parameters
 
    See :ref:`localhost-exception` for more information.
 
+.. parameter:: KeysRotationIntervalSec
+
+   .. versionadded:: 3.6
+
+   *Default*: 7776000 seconds (90 days)
+
+   Specifies the number of seconds for which an `HMAC signing key
+   <https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_
+   is valid before rotating to the next one. This parameter is intended
+   primarily to facilitate authentication testing.
+
+   You can only set :parameter:`KeysRotationIntervalSec` during
+   start-up, and cannot change this setting with the
+   :dbcommand:`setParameter` database command.
+
 .. parameter:: ldapUserCacheInvalidationInterval
 
    For use with MongoDB servers using :ref:`security-ldap-external`.
diff --git a/source/release-notes/3.6.txt b/source/release-notes/3.6.txt
index 0e41204d623..8ceca3df561 100644
--- a/source/release-notes/3.6.txt
+++ b/source/release-notes/3.6.txt
@@ -634,6 +634,11 @@ MongoDB 3.6 includes the following enhancements:
   output from both operations now includes a timestamp for when
   the plans were generated.
 
+- The new :parameter:`KeysRotationIntervalSec` server parameter
+  specifies the number of seconds for which an `HMAC signing key
+  <https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_
+  is valid before rotating to the next one.
+
 Changes Affecting Compatibility
 -------------------------------