UAA 3.9.2 Release Notes

IMPORTANT BACKWARDS INCOMPATIBLE CHANGES

Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and required for proper start-up and functioning of UAA.

These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.

The following required SAML Properties need to be set in login.yml

 serviceProviderKey: |
    -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----
 serviceProviderCertificate: |
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
serviceProviderKeyPassword:

The following required UAA JWT signing properties need to be set.

Please note that the following properties have been deprecated in UAA. You are advised to use the new format for specifying the JWT Signing key which allows for rotation of keys.

Deprecated format for JWT Signing Key in UAA.yml

jwt:
  token:
    verification-key: |
      -----BEGIN PUBLIC KEY-----
      -----END PUBLIC KEY-----
    signing-key: |
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----  

New format for JWT Signing Key in UAA.yml

jwt:
  policy:
    activeKeyId: key-id-1
    keys:
      key-id-1:
        signingKey: |
          -----BEGIN RSA PRIVATE KEY-----
          -----END RSA PRIVATE KEY-----

Running UAA locally

Please note that starting with this this release, UAA can no longer be started with a ./gradlew run.
You need to pass a default profile to set values for the SAML and UAA Signing keys. Please use the new command as a single execution. Make sure your path to the workspace is set properly in the command below

LOGIN_CONFIG_URL=file://$HOME/workspace/uaa/uaa/src/main/resources/required_configuration.yml ./gradlew -Dspring.profiles.active=default,hsqldb run