Re: IMPORTANT: Upcoming breaking changes in UAA V23/3.9.2/cf-release 248


Sree Tummidi
 

Hi Michael,

This is the new way to specify the signing key used by UAA for signing the
JWT tokens. This format allows for rotation of the keys.
bosh-lite is currently using the deprecated properties mentioned below. We
will be changing these use the new rotatable properties in a subsequent
version.

Thank you bringing this up as I should have been clear in my communication.
UAA is no longer shipped with a default signing key. There are two ways to
set this key. I mentioned moving to the new format in my previous email.

*Deprecated Format*

*uaa.jwt.signing_key:*
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign the
JWT-based OAuth2 tokens"
*uaa.jwt.verification_key:*
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to verify
JWT-based OAuth2 tokens"


*New Format (verification key needn't be set as we derive it from the
Private Key)*

*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"



Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry


On Mon, Nov 28, 2016 at 11:29 AM, Michael Fraenkel <
michael.fraenkel(a)gmail.com> wrote:

How are the following required when they aren't used in bosh-lite?


*uaa.jwt.policy.keys: *
* uaa.jwt.policy.active_key_id:*

How does one migrate from what we have to these?

- Michael


On 11/28/16 1:56 PM, Sree Tummidi wrote:

*Please read carefully if you are using UAA as standalone or as a bosh
release or part of cf-release*


Starting with UAA bosh release V23
<http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=23> which
packages UAA 3.9.2
<https://github.com/cloudfoundry/uaa/releases/tag/3.9.2> and *cf-release
248 (in works)* the following *properties have been made required.*

These are standard artifacts which can be generated using openssl. Please
refer the topic here
<https://github.com/cloudfoundry/uaa-release#generating-a-self-signed-certificate> on
how to generate a self signed cert.


*login.saml.serviceProviderCertificate:*
description: "UAA SAML Service provider certificate. This is used for
signing outgoing SAML Authentication Requests"
example: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----

*login.saml.serviceProviderKey:*
description: "Private key for the service provider certificate."
example: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"


Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry



Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.