Begin forwarded message:

From: Sree Tummidi <stummidi(a)pivotal.io>
Subject: [cf-dev] IMPORTANT: Upcoming breaking changes in UAA V23/3.9.2/cf-release 248
Date: November 28, 2016 at 1:56:00 PM EST
To: "stummidi(a)pivotal.io" <stummidi(a)pivotal.io>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org>

Please read carefully if you are using UAA as standalone or as a bosh release or part of cf-release


Starting with UAA bosh release V23 <http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=23> which packages UAA 3.9.2 <https://github.com/cloudfoundry/uaa/releases/tag/3.9.2> and cf-release 248 (in works) the following properties have been made required.

These are standard artifacts which can be generated using openssl. Please refer the topic here <https://github.com/cloudfoundry/uaa-release#generating-a-self-signed-certificate> on how to generate a self signed cert.


login.saml.serviceProviderCertificate:
description: "UAA SAML Service provider certificate. This is used for signing outgoing SAML Authentication Requests"
example: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----

login.saml.serviceProviderKey:
description: "Private key for the service provider certificate."
example: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


uaa.jwt.policy.keys:
description: "Map of key IDs and signing keys, each defined with a property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

uaa.jwt.policy.active_key_id:
description: "The ID of the JWT signing key to be used when signing tokens."
example: "key-1"


Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry

*Please read carefully if you are using UAA as _standalone_ or as a
_bosh release_ or part of _cf-release_*


Starting with UAA bosh release V23
<http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=23> which
packages UAA 3.9.2
<https://github.com/cloudfoundry/uaa/releases/tag/3.9.2> and
*cf-release 248 (in works)* the following *_properties have been made
required._*
*_
_*
These are standard artifacts which can be generated using openssl.
Please refer the topic here
<https://github.com/cloudfoundry/uaa-release#generating-a-self-signed-certificate> on
how to generate a self signed cert.
*_
_*

*login.saml.serviceProviderCertificate:*
description: "UAA SAML Service provider certificate. This is used for
signing outgoing SAML Authentication Requests"
example: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----
*login.saml.serviceProviderKey:*
description: "Private key for the service provider certificate."
example: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"


Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry

Hi Michael,

This is the new way to specify the signing key used by UAA for signing the
JWT tokens. This format allows for rotation of the keys.
bosh-lite is currently using the deprecated properties mentioned below. We
will be changing these use the new rotatable properties in a subsequent
version.

Thank you bringing this up as I should have been clear in my
communication. UAA is no longer shipped with a default signing key. There
are two ways to set this key. I mentioned moving to the new format in my
previous email.

*Deprecated Format*

*uaa.jwt.signing_key:*
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign
the JWT-based OAuth2 tokens"
*uaa.jwt.verification_key:*
description: "Deprecated. Use uaa.jwt.policy.keys. The key used to verify
JWT-based OAuth2 tokens"


*New Format (verification key needn't be set as we derive it from the
Private Key)*

*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"



Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry


On Mon, Nov 28, 2016 at 11:29 AM, Michael Fraenkel <
michael.fraenkel(a)gmail.com> wrote:

How are the following required when they aren't used in bosh-lite?


*uaa.jwt.policy.keys: *
* uaa.jwt.policy.active_key_id:*

How does one migrate from what we have to these?

- Michael


On 11/28/16 1:56 PM, Sree Tummidi wrote:

*Please read carefully if you are using UAA as standalone or as a bosh
release or part of cf-release*


Starting with UAA bosh release V23
<http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=23> which
packages UAA 3.9.2
<https://github.com/cloudfoundry/uaa/releases/tag/3.9.2> and *cf-release
248 (in works)* the following *properties have been made required.*

These are standard artifacts which can be generated using openssl. Please
refer the topic here
<https://github.com/cloudfoundry/uaa-release#generating-a-self-signed-certificate> on
how to generate a self signed cert.


*login.saml.serviceProviderCertificate:*
description: "UAA SAML Service provider certificate. This is used for
signing outgoing SAML Authentication Requests"
example: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----

*login.saml.serviceProviderKey:*
description: "Private key for the service provider certificate."
example: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


*uaa.jwt.policy.keys:*
description: "Map of key IDs and signing keys, each defined with a
property `signingKey`"
example:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

* uaa.jwt.policy.active_key_id:*
description: "The ID of the JWT signing key to be used when signing
tokens."
example: "key-1"


Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry