Tuesday, February 26, 2019

Deploy your own UAA in Cloudfoundry

One of the interesting backing service in the cloudfoundry landscape is a UAA. In most cloudfoundry editions (e.g. Pivotal or SAP and probably in others too) one gets UAA as a backing service. However from time to time one wants to run their own UAA to see how things are really working or just for the high of having their own UAA :). 
Recently I had a requirement to host a UAA of my own as I was trying to understand how the JWTs are really getting issued by UAA and how exactly are they signed etc. 
As I turned to web to ensure that I can host my own UAA, it turned out that most articles do not have enough instructions to host a UAA in PCF as an app. Thus came the idea to document all I had to do to deploy my own UAA. 
Note that below instructions can be followed to get a just about working UAA and are in no way enough to install the UAA for production purposes. 

Here are the basic tools you would need to finish this exercise.I have a mac so most commands assume at least bash

1) git CLI
2) uaac (gem install cf-uaac) 
3) cf cli with access to a CF space where you can deploy an application 


Once you are set with these command line utilities, here are the steps to follow 

1) Go ahead and clone the repository https://github.com/cloudfoundry/uaa.git 
2) once cloned you need to make a few changes in some files. 

In the file uaa/src/main/resources/uaa.yml go ahead and add the following lines in the begining of the file 


Next go ahead and uncomment the section jwt and cors in the same file. It looks like the following 

Then go ahead and open the file uaa/src/main.webapp/WEB0INF/spring/saml-idp.xml and add a keyManager for the bean idpMetadataManager. After this addition the bean definition looks like 


Lastly we need to change the memory and timeout for the deployment descriptor found in uaa/src/test/resources/sample-manifests/uaa-cf-application.yml 


3) Once these changes are done go ahead, build and deploy the application using the following commands 

4) Now that you have deployed the UAA. It's time to login to the UAA using uaac

You can probably change this secret in /uaa/src/main/webapp/WEB-INF/spring/oauth-clients.xml (I haven't tried this bit though) 

5) You can even create a new client credential on UAA by using the commands below. You can use these commands to list the JWTs issued by UAA as well. 

Happy Coding :) 

~Abhishek

No comments: