UAA Release Notes 4.13.0

Do not use

Please use 4.13.4

Features

Stories included in release

Breaking Change

As of UAA 4.13.0, UAA will require an active encryption passphrase to be defined in order to start-up.

Encryption key pass-phrases can be set via the BOSH manifest. Multiple keys can be specified, and can be any value greater than or equal to 8 characters. One specified key must be set as the active key.

An example property would look like below:

encryption:
  active_key_label: key-1
  encryption_keys:
  - label: key-1
    passphrase: CHANGE-ME-DO-NOT-USE-1
  - label: key-2
    passphrase: CHANGE-ME-DO-NOT-USE-2
  - label: key-3
    passphrase: CHANGE-ME-DO-NOT-USE-3

Known Issue

Monit health check and route registrar break if uaa.port is set to -1 to disable HTTP traffic.

Features

• As a security administrator, I want MFA credentials stored in the database to be encrypted
• As an operator, I want to be able to rotate the encryption key for MFA without impacting end users
• UAA enforces encryption key required to start UAA
• login hint support for /token endpoint
• Refreshing browser state on prompt=none call sets Current-User cookie

Bug Fixes

• Duplicate encryption keys in uaa.yml and required properties