Re: IMPORTANT: Upcoming breaking changes in UAA V23/3.9.2/cf-release 248


Sree Tummidi
 

I have been informed by the CAPI team that the changes in Cloud Controller
to use the new rotatable signing key format is not yet in place and is
blocked on some fixes for CF-UAA-LIB
<https://www.pivotaltracker.com/n/projects/997278/stories/133947925>

For *CF-Release ONLY*, please continue to use the deprecated way of setting
the UAA JWT Signing and Verification key as mentioned below.
We will be sending out a separate notification on when we are ready to make
the switch to rotatable signing key format.

*uaa.jwt.signing_key:*
description: "The key used to sign the JWT-based OAuth2 tokens"
*uaa.jwt.verification_key:*
description: "The key used to verify JWT-based OAuth2 tokens"



Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry

On Mon, Nov 28, 2016 at 11:41 AM, Sree Tummidi <stummidi(a)pivotal.io> wrote:

Hi Michael,

This is the new way to specify the signing key used by UAA for signing the
JWT tokens. This format allows for rotation of the keys.
bosh-lite is currently using the deprecated properties mentioned below. We
will be changing these use the new rotatable properties in a subsequent
version.

Thank you bringing this up as I should have been clear in my
communication. UAA is no longer shipped with a default signing key. There
are two ways to set this key. I mentioned moving to the new format in my
previous email.

*Deprecated Format*

*uaa.jwt.signing_key:*
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign
the JWT-based OAuth2 tokens"
*uaa.jwt.verification_key:*
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to verify
JWT-based OAuth2 tokens"


*New Format (verification key needn't be set as we derive it from the
Private Key)*

*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"



Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry


On Mon, Nov 28, 2016 at 11:29 AM, Michael Fraenkel <
michael.fraenkel(a)gmail.com> wrote:

How are the following required when they aren't used in bosh-lite?


*uaa.jwt.policy.keys: *
* uaa.jwt.policy.active_key_id:*

How does one migrate from what we have to these?

- Michael


On 11/28/16 1:56 PM, Sree Tummidi wrote:

*Please read carefully if you are using UAA as standalone or as a bosh
release or part of cf-release*


Starting with UAA bosh release V23
<http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=23> which
packages UAA 3.9.2
<https://github.com/cloudfoundry/uaa/releases/tag/3.9.2> and *cf-release
248 (in works)* the following *properties have been made required.*

These are standard artifacts which can be generated using openssl. Please
refer the topic here
<https://github.com/cloudfoundry/uaa-release#generating-a-self-signed-certificate> on
how to generate a self signed cert.


*login.saml.serviceProviderCertificate:*
description: "UAA SAML Service provider certificate. This is used for
signing outgoing SAML Authentication Requests"
example: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----

*login.saml.serviceProviderKey:*
description: "Private key for the service provider certificate."
example: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"


Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry



Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.