v58 - UAA 4.13.0

Stories included in release

Breaking Change

As of UAA v58, UAA will require an active encryption passphrase to be defined in order to start-up.

Encryption key pass-phrases can be set via the BOSH manifest. Multiple keys can be specified, and can be any value greater than or equal to 8 characters. One specified key must be set as the active key.

An example property would look like below:

      encryption:
        active_key_label: key-1
        encryption_keys:
        - label: key-1
          passphrase: CHANGE-ME-DO-NOT-USE-1
        - label: key-2
          passphrase: CHANGE-ME-DO-NOT-USE-2
        - label: key-3
          passphrase: CHANGE-ME-DO-NOT-USE-3

Known Issue

Monit health check and route registrar break if uaa.port is set to -1 to disable HTTP traffic. This is resolved in UAA v59

Features

• As a security administrator, I want MFA credentials stored in the database to be encrypted
• As an operator, I want to be able to rotate the encryption key for MFA without impacting end users
• bosh deploy of UAA enforces encryption key required to start UAA
• UAA enforces encryption key required to start UAA
• login hint support for /token endpoint
• Refreshing browser state on prompt=none call sets Current-User cookie

Bug Fixes

• cloudfoundry/uaa-release #86: post-start script http port is hardcoded
• Duplicate encryption keys in uaa.yml and required properties