Issues on upgrading UAA 3.6.0 to 3.12.0?


Sam Leong
 

Hi,

We've been running UAA 3.6 on production and need to upgrade to 3.12. One requirement is that we will need to retain the validity of the token that was issued by UAA 3.6 after the upgrade.

We used the default key for token signing in 3.6, in the upgrade we will use a new key, so I like to know the way how the client be able to verify the signature of the old valid tokens while the new tokens will be signed by a new key after upgrade to 3.12?

Thanks, Sam


Filip Hanik
 

We recommend that you upgrade to 3.16.0 to make sure you get all security
fixes included.

The UAA you are upgrading to supports multiple keys.
Here is an example

https://github.com/cloudfoundry/uaa/blob/develop/uaa/src/test/resources/test/bootstrap/all-properties-set.yml#L72-L82

add both your new and old keys into the configuration. Then set the
activeKeyId to be the new key.

The old key will be used to verify existing tokens only. The new key will
be used to sign new tokens.
When you believe the time is right, you can remove the old key from the
configuration. any tokens still signed with the old key will then be
considered invalid.

Filip

On Mon, May 8, 2017 at 4:23 PM, Sam Leong <sam.leong(a)quicken.com> wrote:

Hi,

We've been running UAA 3.6 on production and need to upgrade to 3.12. One
requirement is that we will need to retain the validity of the token that
was issued by UAA 3.6 after the upgrade.

We used the default key for token signing in 3.6, in the upgrade we will
use a new key, so I like to know the way how the client be able to verify
the signature of the old valid tokens while the new tokens will be signed
by a new key after upgrade to 3.12?

Thanks, Sam