This release includes UAA 3.9.2
IMPORTANT BACKWARDS INCOMPATIBLE CHANGES
Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and are required for proper start-up and functioning of UAA.
These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.
login.saml.serviceProviderCertificate: description: "UAA SAML Service provider certificate. This is used for signing outgoing SAML Authentication Requests" example: | -----BEGIN CERTIFICATE----- -----END CERTIFICATE---- login.saml.serviceProviderKeyPassword: description: "Password to protect the service provider private key, blank if no password set." example: "" login.saml.serviceProviderKey: description: "Private key for the service provider certificate." example: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- login.saml.serviceProviderKeyPassword: description: "Password to protect the service provider private key." example: ""
Deprecated Format for JWT Signing Key
NOTE: Please continue to use this format for setting the signing and verification key in cf-release as it doesn’t support reading from the new format yet
uaa.jwt.signing_key: description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign the JWT-based OAuth2 tokens" uaa.jwt.verification_key: description: "Deprecated. Use uaa.jwt.policy.keys. The key used to verify JWT-based OAuth2 tokens"
New Format for JWT Signing Keys(verification key needn’t be set as we derive it from the Private Key)
uaa.jwt.policy.keys: description: "Map of key IDs and signing keys, each defined with a property `signingKey`" example: key-1: signingKey: | -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- uaa.jwt.policy.active_key_id: description: "The ID of the JWT signing key to be used when signing tokens." example: "key-1"
Upload this release version to the Director:
$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=23 --sha1 ed0799f760850858499d6a975813215ca19c7579
Modify deployment manifest to use this release in addition to any other used releases:
releases: - name: uaa version: "23"
Finally add needed deployment jobs and specify values for required properties.
Optionally download sha1: ed0799f760850858499d6a975813215ca19c7579 release tarball locally:
# ...or download it directly using curl $ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=23 # or with wget... $ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=23