Recently I had a requirement to host a UAA of my own as I was trying to understand how the JWTs are really getting issued by UAA and how exactly are they signed etc.
As I turned to web to ensure that I can host my own UAA, it turned out that most articles do not have enough instructions to host a UAA in PCF as an app. Thus came the idea to document all I had to do to deploy my own UAA.
Note that below instructions can be followed to get a just about working UAA and are in no way enough to install the UAA for production purposes.
Here are the basic tools you would need to finish this exercise.I have a mac so most commands assume at least bash
1) git CLI
2) uaac (gem install cf-uaac)
3) cf cli with access to a CF space where you can deploy an application
Once you are set with these command line utilities, here are the steps to follow
1) Go ahead and clone the repository https://github.com/cloudfoundry/uaa.git
2) once cloned you need to make a few changes in some files.
In the file uaa/src/main/resources/uaa.yml go ahead and add the following lines in the begining of the file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| encryption: | |
| active_key_label: CHANGE-THIS-KEY | |
| encryption_keys: | |
| - label: CHANGE-THIS-KEY | |
| passphrase: CHANGEME |
Next go ahead and uncomment the section jwt and cors in the same file. It looks like the following
Then go ahead and open the file uaa/src/main.webapp/WEB0INF/spring/saml-idp.xml and add a keyManager for the bean idpMetadataManager. After this addition the bean definition looks like
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <bean id="idpMetadataManager" | |
| class="org.cloudfoundry.identity.uaa.provider.saml.idp.NonSnarlIdpMetadataManager" | |
| depends-on="spMetaDataProviders" destroy-method="destroy"> | |
| <constructor-arg name="configurator" ref="spMetaDataProviders"/> | |
| <property name="refreshCheckInterval" value="${login.saml.metadataRefreshInterval:0}"/> | |
| <property name="generator" ref="zoneAwareIdpMetadataGenerator"/> | |
| <property name="keyManager" ref="idpZoneAwareSamlKeyManager"/> | |
| </bean> |
Lastly we need to change the memory and timeout for the deployment descriptor found in uaa/src/test/resources/sample-manifests/uaa-cf-application.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| applications: | |
| - name: uaa | |
| memory: 4096M | |
| timeout: 180 |
3) Once these changes are done go ahead, build and deploy the application using the following commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ./gradlew :cloudfoundry-identity-uaa:war | |
| ./gradlew manifests -Dapp="uaa" -Dapp-domain="cfapps.sap.hana.ondemand.com" | |
| cf push -f build/sample-manifests/uaa-cf-application.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uaac target uaa.cfapps.sap.hana.ondemand.com | |
| uaac token client get admin -s adminsecret |
You can probably change this secret in /uaa/src/main/webapp/WEB-INF/spring/oauth-clients.xml (I haven't tried this bit though)
5) You can even create a new client credential on UAA by using the commands below. You can use these commands to list the JWTs issued by UAA as well.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uaac client add client_id_abhishek --authorities "zones.read clients.read clients.secret clients.write uaa.admin clients.admin scim.write scim.read" --authorized_grant_types client_credentials | |
| uaac token client get client_id_abhishek | |
| uaac context |
Happy Coding :)
~Abhishek
