Re: IMPORTANT: Upcoming breaking changes in UAA V23/3.9.2/cf-release 248

Home Messages Hashtags Subgroups

#6104

Re: IMPORTANT: Upcoming breaking changes in UAA V23/3.9.2/cf-release 248

Sree Tummidi #6104 Hi Michael, This is the new way to specify the signing key used by UAA for signing the JWT tokens. This format allows for rotation of the keys. bosh-lite is currently using the deprecated properties mentioned below. We will be changing these use the new rotatable properties in a subsequent version. Thank you bringing this up as I should have been clear in my communication. UAA is no longer shipped with a default signing key. There are two ways to set this key. I mentioned moving to the new format in my previous email. Deprecated Format uaa.jwt.signing_key: description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign the JWT-based OAuth2 tokens" uaa.jwt.verification_key: description: "Deprecated. Use uaa.jwt.policy.keys. The key used to verify JWT-based OAuth2 tokens" New Format (verification key needn't be set as we derive it from the Private Key) uaa.jwt.policy.keys: description: "Map of key IDs and signing keys, each defined with a property `signingKey`" example: key-1: signingKey: \| -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- * uaa.jwt.policy.active_key_id:* description: "The ID of the JWT signing key to be used when signing tokens." example: "key-1" Thanks, Sree Tummidi Staff Product Manager Identity - Pivotal Cloud Foundry On Mon, Nov 28, 2016 at 11:29 AM, Michael Fraenkel < michael.fraenkel(a)gmail.com> wrote: How are the following required when they aren't used in bosh-lite? uaa.jwt.policy.keys: * uaa.jwt.policy.active_key_id:* How does one migrate from what we have to these? - Michael On 11/28/16 1:56 PM, Sree Tummidi wrote: Please read carefully if you are using UAA as standalone or as a bosh release or part of cf-release Starting with UAA bosh release V23 <http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=23> which packages UAA 3.9.2 <https://github.com/cloudfoundry/uaa/releases/tag/3.9.2> and cf-release 248 (in works) the following properties have been made required. These are standard artifacts which can be generated using openssl. Please refer the topic here <https://github.com/cloudfoundry/uaa-release#generating-a-self-signed-certificate> on how to generate a self signed cert. login.saml.serviceProviderCertificate: description: "UAA SAML Service provider certificate. This is used for signing outgoing SAML Authentication Requests" example: \| -----BEGIN CERTIFICATE----- -----END CERTIFICATE---- login.saml.serviceProviderKey: description: "Private key for the service provider certificate." example: \| -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- uaa.jwt.policy.keys: description: "Map of key IDs and signing keys, each defined with a property `signingKey`" example: key-1: signingKey: \| -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- * uaa.jwt.policy.active_key_id:* description: "The ID of the JWT signing key to be used when signing tokens." example: "key-1" Thanks, Sree Tummidi Staff Product Manager Identity - Pivotal Cloud Foundry attachment.html
More All Messages By This Member

View All 4 Messages In Topic

#6104

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms