search

cloudfoundry / docs-deploying-cf

The docs repo for material on deploying Cloud Foundry
Apache License 2.0
15 stars 101 forks source link

jwt verification key incorrect information #132

Closed valenbb closed 8 years ago

valenbb commented 8 years ago

The documentation for editing the cf-stub.yml - jwt section does not tell us what to do properly. We could not use the generated pub file. Used the following the cat the output file: openssl rsa -in jwt-key.pem -pubout > key.pub

ssh-keygen -f jwt-key.pem does not create a pub key which includes the begin and end lines.

jwt: verification_key: JWT_VERIFICATION_KEY signing_key: JWT_SIGNING_KEY

Instead of just stating where each key is used, the begin and end lines should be inserted so that admins know what to look for after generating these keys. For example,

verification_key: JWT_VERIFICATION_KEY -----BEGIN PUBLIC KEY----- PUBLIC_KEY -----END PUBLIC KEY----- signing_key: JWT_SIGNING_KEY -----BEGIN RSA PRIVATE KEY----- RSA_PRIVATE_KEY -----END RSA PRIVATE KEY-----

Without proper information my team spent close to two months trying to figure out the resolution for: API endpoint: https://api.cftest.test.local (API version: 2.58.0) User: admin No org or space targeted, use 'cf target -o ORG -s SPACE' FAILED Error finding available orgs Server error, status code: 500, error code: 0, message:

cf-gitbot commented 8 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/130138453

The labels on this github issue will be updated when the story is started.

valenbb commented 8 years ago

There was a typo in statement "ssh-keygen -f jwt-key.pem does create a pub key which includes the begin and end lines"

It should be does not.

Thanks

wbean1 commented 8 years ago

+1 this area needs better doc, esp given the changes to these parameters in v242. I spent two days trying to migrate to the new properties (uaa.jwt.policy.keys) before giving up and staying on the deprecated ones.

jbheron commented 8 years ago

Thanks @valenbb, I've updated our docs per your suggestion, and will touch base with the CF UAA team for further guidance about uaa.jwt.policy.keys that @wbean1 mentioned causing them some trouble. Closing.

valenbb commented 8 years ago

@jbheron, "openssl rsa -in jwt-key.pem -pubout > key.pub" does not create the private key, it only outputs public key with the BEGIN and END lines. We would still need to use a mechanism to create the private key.

A quick recommendation for the jwt process:

  1. Create the jwt signing key using "openssl genrsa -out jwt-key.pem 2048"
  2. Obtain jwt verification key using "openssl rsa -in jwt-key.pem -pubout > key.pub"

Please test this out and update the document.

Thanks.