Skip to content

uaa job from cf/211

The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.

Github source: 48c88357 or master branch

Properties

domain

The domain name for this CloudFoundry deploy

env

http_proxy

The http_proxy accross the VMs

https_proxy

The https_proxy accross the VMs

no_proxy

Set No_Proxy accross the VMs

login

analytics

code

Analytics code

domain

Analytics domain

asset_base_url

Base url for static assets, allows custom styling of the login server. Use ‘/resources/pivotal’ for Pivotal style.

brand

The brand to use for the reset password emails, available values are oss and pivotal

Default
oss

catalina_opts

entity_id

Deprecated: Use login.saml.entityid

invitations_enabled

Allows users to send invitations to email addresses outside the system and invite them to create an account. Disabled by default.

ldap

localPasswordCompare

See uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
"true"
passwordAttributeName

See uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
userPassword
passwordEncoder

See uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type

See uaa.ldap.profile_type - login.ldap prefix is used for backwards compatibility to enable ldap from login config

searchBase

See uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
""
searchFilter

See uaa.ldap.searchFilter - login.ldap prefix is used for backwards compatibility to enable ldap from login config

Default
cn={0}
sslCertificate

See uaa.ldap.sslCertificate - login.ldap prefix is used for backwards compatibility to enable ldap from login config

sslCertificateAlias

See uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards compatibility to enable ldap from login config

url

See uaa.ldap.url - login.ldap prefix is used for backwards compatibility to enable ldap from login config

userDN

See uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to enable ldap from login config

userDNPattern

See uaa.ldap.userDNPattern - login.ldap prefix is used for backwards compatibility to enable ldap from login config

userPassword

See uaa.ldap.userPassword - login.ldap prefix is used for backwards compatibility to enable ldap from login config

A hash of home/passwd/signup URLS (see commented examples below)

home

URL for primary console/dashboard for users

Default
https://console.run.pivotal.io
network

URL for Pivotal Network

Default
https://network.gopivotal.com/login
passwd

URL for requesting password reset

Default
https://console.run.pivotal.io/password_resets/new
signup

URL for requesting to signup/register for an account

Default
https://console.run.pivotal.io/register
signup-network

URL for requesting to signup/register for an account at Pivotal Network

Default
https://network.gopivotal.com/registrations/new

logout

redirect
parameter
disable

When set to false, this allows an operator to leverage an open redirect on the UAA (/logout.do?redirect=google.com). Default value is true. No open redirect enabled

whitelist

A list of URLs. When this list is non null, including empty, and disable=false, logout redirects are allowed, but limited to the whitelist URLs. If a redirect parameter value is not white listed, redirect will be to the default URL.

url

The Location of the redirect header following a logout of the the UAA (/logout.do). Default value is back to login page (/login)

messages

A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message Nested example: messages: scope: tokens: read: View details of your approvals you have granted to this and other applications write: Cancel the approvals like this one that you have granted to this and other applications cloud_controller: read: View details of your applications and services write: Push applications to your account and create and bind services Flat example: messages: scope.tokens.read: View details of your approvals you have granted to this and other applications scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications scope.cloud_controller.read: View details of your applications and services scope.cloud_controller.write: Push applications to your account and create and bind services

notifications

url

The url for the notifications service (configure to use Notifications Service instead of SMTP server)

port

Default
8080

protocol

Scheme to use for HTTP communication (http/https)

saml

assertion_consumer_index

Deprecated: Use login.saml.providers list objects

Default
1
entityid

The ID to represent this server

idpEntityAlias

Deprecated: Use login.saml.providers list objects

idpMetadataURL

Deprecated: Use login.saml.providers list objects

idp_metadata_file

Deprecated: Use login.saml.providers list objects

keystore_key

Key name of the SAML login server keystore.

Default
selfsigned
keystore_name

Name of the SAML login server keystore.

Default
samlKeystore.jks
keystore_password

Key password to the SAML login server keystore.

Default
password
metadataTrustCheck

Deprecated: Use login.saml.providers list objects

Default
true
nameidFormat

Deprecated: Use login.saml.providers list objects

Default
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
providers

Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs for idpMetadata, nameID, assertionConsumerIndex, metadataTrustCheck, showSamlLoginLink, linkText, iconUrl

serviceProviderCertificate

Service provider certificate.

serviceProviderKey

Private key for the service provider certificate.

serviceProviderKeyPassword

Password to protect the service provider private key.

socket
connectionManagerTimeout

Timeout in milliseconds for connection pooling for SAML metadata HTTP requests

soTimeout

Read timeout in milliseconds for SAML metadata HTTP requests

signups_enabled

Enable account creation flow in the login server. Enabled by default.

smtp

SMTP server configuration, for password reset emails etc.

host

SMTP server host address

Default
localhost
password

SMTP server password

port

SMTP server port

Default
2525
user

SMTP server username

spring_profiles

See uaa.spring_profiles - login.spring_profiles is used for backwards compatibility to enable ldap from login config

tiles

A list of links to other services to show on the landing page after logging in and/or signing up, depending on whether login-link and/or signup-link is specified.

uaa_base

Location of the UAA.

uaa_certificate

Certificate to import if the UAA is using self-signed certificates

nats

machines

IP of each NATS cluster member.

password

Password for NATS login

port

TCP port of NATS server

user

User name for NATS login

networks

apps

The App network name

uaa

admin

client_secret

Secret of the admin client - a client named admin with uaa.admin as an authority

authentication

policy
countFailuresWithinSeconds

Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked

lockoutAfterFailures

Number of allowed failures before account is locked

lockoutPeriodSeconds

Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded

catalina_opts

Default
-Xmx768m -XX:MaxPermSize=256m

cc

client_secret
token_secret

client

autoapprove

clients

login
secret

Login client secret - overrides uaa.login.client_secret

database

abandoned_timeout

Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time.

Default
300
log_abandoned

Should connections that are forcibly closed be logged.

Default
true
max_connections

The max number of open connections to the DB from a running UAA instance

Default
100
max_idle_connections

The max number of open idle connections to the DB from a running UAA instance

Default
10
remove_abandoned

True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed

Default
false

dump_requests

issuer

The url to use as the issuer URI

jwt

signing_key
verification_key

ldap

enabled

Set to true to enable LDAP

Default
false
groups
autoAdd

Set to true when profile_type=groups_as_scopes to auto create scopes for a user. Ignored for other profiles.

Default
"true"
groupRoleAttribute

Used with groups-as-scopes, defines the attribute that holds the scope name(s).

groupSearchFilter

Search query filter to find groups a user belongs to, or for a nested search, groups that a group belongs to

Default
member={0}
maxSearchDepth

Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)

Default
"1"
profile_type

What type of group integration should be used. Values are no-groups, groups-as-scopes and groups-map-to-scopes

Default
no-groups
searchBase

Search start point for a user group membership search

Default
""
searchSubtree

Boolean value, set to true to search below the search base

Default
"true"
localPasswordCompare

Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.

Default
"true"
mailAttributeName

The name of the LDAP attribute that contains the users email address

Default
mail
mailSubstitute

Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication

Default
""
mailSubstituteOverridesLdap

Set to true if you wish to override an LDAP user email address with a generated one

Default
false
passwordAttributeName

Used with search-and-compare only. The name of the password attribute in the LDAP directory

Default
userPassword
passwordEncoder

Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.

Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type

The file to be used for configuring the LDAP authentication. options are simple-bind, search-and-bind and search-and-compare

Default
search-and-bind
searchBase

Used with search-and-bind and search-and-compare. Define a base where the search starts at.

Default
""
searchFilter

Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}

Default
cn={0}
sslCertificate

Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.

sslCertificateAlias

Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.

url

The URL to the ldap server, must start with ldap:// or ldaps://

userDN

Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.

userDNPattern

Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.

userDNPatternDelimiter

The delimiter character in between user DN patterns for simple bind authentication

Default
;
userPassword

Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

login

client_secret

Deprecated. Default login client secret if no login client is defined

newrelic

To enable newrelic monitoring, the sub element of this property will be placed in a configuration file called newrelic.yml in the jobs config directory. The syntax that must adhere to documentation in https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will be added to Apache Tomcat’s startup script The enablement of the NewRelic agent in the UAA is triggered by the property uaa.newrelic.common.license_key The property uaa.newrelic.common.license_key must be set!

no_ssl

when true, uaa uses http, otherwise it uses https

Default
false

openid

fallbackToAuthcode

When using the hybrid flow to get a id_token, suppress the exception if the client doesn’t have the implicit grant.

Default
true

port

Port that uaa will accept connections on

Default
8080

require_https

restricted_ips_regex

A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.

Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}

scim

external_groups

A list of external group mappings. Pipe delimited. A value may look as ‘- internal.read|cn=developers,ou=scopes,dc=test,dc=com’

user
override
userids_enabled
Default
false
users

spring_profiles

Deprecated. Use ‘uaa.ldap.enabled’. Sets the Spring profiles on the UAA web application. This gets combined with the ‘uaadb.db_scheme’ property if and only if the value is exactly ‘ldap’ in order to setup the database, for example ‘ldap,mysql’. If spring_profiles contains more than just ‘ldap’ it will be used to overwrite spring_profiles and db_scheme ignored. See uaa.yml.erb.

url

user

authorities

Contains a list of the default authorities/scopes assigned to a user.

Default
  - openid
  - scim.me
  - cloud_controller.read
  - cloud_controller.write
  - cloud_controller_service_permissions.read
  - password.write
  - uaa.user
  - approvals.me
  - oauth.approvals
  - notification_preferences.read
  - notification_preferences.write

zones

internal
hostnames

A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn’t recognize. By default the UAA recognizes uaa. - the default UAA route login. - the login-server route that the UAA now also serves. localhost - in order to accept health checks Any hostnames added as a list are additive to the default hostnames allowed. Example uaa: zones: internal: hostnames: - hostname1 - hostname2.localhost - hostname3.example.com

Default
- uaa.service.consul

uaadb

address

The UAA database IP address

databases

The list of databases used in UAA database including tag/name

db_scheme

Database scheme for UAA DB

port

The UAA database Port

roles

The list of database Roles used in UAA database including tag/name/password

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/uaa/ directory (learn more).

  • bin/dns_health_check (from dns_health_check.erb)
  • bin/install_crt (from install_crt.erb)
  • bin/uaa_cf-registrar_ctl (from cf-registrar_ctl)
  • bin/uaa_ctl (from uaa_ctl.erb)
  • config/cf-registrar/config.yml (from cf-registrar.config.yml.erb)
  • config/ldap.crt (from ldap.crt.erb)
  • config/log4j.properties (from log4j.properties.erb)
  • config/login.yml (from login.yml.erb)
  • config/messages.properties (from messages.properties.erb)
  • config/newrelic.yml (from newrelic.yml.erb)
  • config/tomcat/logging.properties (from tomcat.logging.properties)
  • config/tomcat/server.xml (from tomcat.server.xml.erb)
  • config/uaa.yml (from uaa.yml.erb)
  • config/varz.log4j.properties (from varz.log4j.properties.erb)
  • config/varz.yml (from varz.yml.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.