Pivotal Knowledge Base

Follow

How to Change the Internal UAA password policy when another identity provider is in use

Environment

Product Version
Pivotal Cloud Foundry All version

Purpose

This will guide you through changing the internal UAA password policy through uaac.

This is required in the scenario where you are using a separate identify provider such as "SAML Identify Provider" or "LDAP Server" but you still have some internal UAA users that have to meet a specific password policy.

Normally you would configure the password policy through Ops Manager on the "Pivotal Elastic Runtime"> "Authentication and Enterprise SSO" page but this is not possible if you have selected "SAML Identify Provider" or "LDAP Server"

Procedure

Please review the Risks/Impact section below before proceeding.

In this example we will see that the UAA password "minLength" is 6 and we will change it to 10.

  1. Log on to Ops Manager through SSH.
  2. Log in to UAA using the uaac CLI:
    See Creating Admin Users steps 1-7 and ensure the admin user has the "uaa.admin" scope.
    $ uaac contexts
    [0]*[https://uaa.]
      skip_ssl_validation: true
    
      [0]*[admin]
          client_id: admin
          access_token: eyJhbGciOizI1NiIsImtpZCI6ImtleS0xIdHlwIjoiSldUIn0.eyJqdGkiOiIzNmZjZTk3NmQ1YTk0MzdjYmFlMMTlmMmRkZDU2NCIsInN1YiI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiY2xpZW50cy5yZWFkIiwicGFzc3dvcmQud3JpdGUiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMud3JpdGUiLCJ1YWEuYWRtaW4iLCJzY2ltLndyaXRlIiwic2NpbS5yZWFkIl0sInNjb3BlIjpbImNsaWVudHMucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xpZW50cy5zZWNyZXQiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwic2Np53cml0ZSIsInNjaW0ucmVhZCJdLCJjbGllbnRfaWQiOiJhZG1pbiIsImNpZCI6ImFkbWluIiwiYXpwIjoiYWRtaW4iLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjgxYTFmMjZjIiwiaWF0IjoxNDg2NTA2MTI3LCJleHAiOjE0ODY1NDkzMjcsImlzcyI6Imh0dHBzOi8vdWFhLnJ1bi0xOS5oYWFzLTU5LnBlei5waXZvdGFsLmlvL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNjaW0iLCJwYXNzd29yZCIsImNsaWVudHMiLCJ1YWEiLCJhZG1pbiJdfQ.cOgIzNP2LBMWt_FAi9gs92zbXP3nKXp7GdqwdXfiG50aCUNCxuxrW20Du28AG2oM-KDrQB1EOAd8_7DKoyKAenPX_AGmdULKk8BqrgbH4vilx756-q6O6sFxF_cwU9kCj3xKJGu2_pSbHnHzfcW5EiC8nrbsHPk4UBKTXNP9isuLns_ms8jHCqRZPVYKYgtFMz6pTRNLMg5jF7c_l1AiOKtdC2-m2v1GediUjIU-R_O-TmsCk28JzTGfsp1txgPgBUkd1QU87HRczOF4t5hsObC5ninw_G3Uk-u6eGHpC7kyKoIWlOEjR9DfuuI4kRkvYueMMrxF6LVziwQo-A
          token_type: bearer
          expires_in: 43199
          scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
          jti: 36fce976d5a9437cbae08519f2ddd565
  3. Get the identity providers:
    $ uaac curl https://uaa.<PCF_DOMAIN>/identity-providers -k
    GET https://uaa.<PCF_DOMAIN>/identity-providers
    
    200 OK
    RESPONSE HEADERS:
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Content-Type: application/json;charset=UTF-8
      Date: Tue, 07 Feb 2017 22:26:46 GMT
      Expires: 0
      Pragma: no-cache
      Server: Apache-Coyote/1.1
      Strict-Transport-Security: max-age=31536000 ; includeSubDomains
      X-Content-Type-Options: nosniff
      X-Frame-Options: DENY
      X-Vcap-Request-Id: 6b253a71-facd-46be-5760-106d6d92df2b
      X-Xss-Protection: 1; mode=block
      Connection: close
      Transfer-Encoding: chunked
    RESPONSE BODY:
    [
      {
        "type": "ldap",
        "config": "null",
        "id": "2684aa59-83c9-4e28-ba15-b959a60cd8f4",
        "originKey": "ldap",
        "name": "ldap",
        "version": 12,
        "created": 946684800000,
        "last_modified": 1486393093000,
        "active": false,
        "identityZoneId": "uaa"
      },
      {
        "type": "login-server",
        "config": "null",
        "id": "53034243-75e1-4657-9b9e-b1ba9be17858",
        "originKey": "login-server",
        "name": "login-server",
        "version": 12,
        "created": 946684800000,
        "last_modified": 1486393093000,
        "active": false,
        "identityZoneId": "uaa"
      },
      {
        "type": "keystone",
        "config": "null",
        "id": "58b8b564-fa34-4807-bdd5-fb1eac22ac78",
        "originKey": "keystone",
        "name": "keystone",
        "version": 12,
        "created": 946684800000,
        "last_modified": 1486393093000,
        "active": false,
        "identityZoneId": "uaa"
      },
      {
        "type": "saml",
        "config": "{\"emailDomain\":[],\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"given_name\":null,\"family_name\":null,\"external_groups\":null,\"email\":null},\"addShadowUserOnLogin\":true,\"metaDataLocation\":\"https://gsslabdc./FederationMetadata/2007-06/FederationMetadata.xml\",\"idpEntityAlias\":\"gsslabIDP\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":true,\"linkText\":\"GSSLAB\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":true,\"socketFactoryClassName\":null}",
        "id": "64c54893-409a-4a12-80a4-b2ee59683cb9",
        "originKey": "gsslabIDP",
        "name": "UAA SAML Identity Provider[gsslabIDP]",
        "version": 5,
        "created": 1485688050000,
        "last_modified": 1486393093000,
        "active": true,
        "identityZoneId": "uaa"
      },
      {
        "type": "uaa",
        "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":6,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":0},\"lockoutPolicy\":{\"lockoutPeriodSeconds\":300,\"lockoutAfterFailures\":5,\"countFailuresWithin\":1200},\"disableInternalUserManagement\":false}",
        "id": "6b5f3cdb-2b50-4d09-b054-62ffea7de0d6",
        "originKey": "uaa",
        "name": "uaa",
        "version": 12,
        "created": 946684800000,
        "last_modified": 1486393094000,
        "active": true,
        "identityZoneId": "uaa"
      }
    ]
  4. Modify the "config" value to match the new password policy:
    Change:
    \"minLength\":6

    To:

    \"minLength\":10
  5. Update the new policy by performing a HTTP PUT with the updated JSON (in blue above + the modifications):
    $ uaac curl -X PUT -H "Accept: application/json" \
                       -H "Content-Type: application/json" \
                       -H "X-Identity-Zone-Id: uaa" \
                       -d '{"originKey":"uaa","name":"uaa","type":"uaa","config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":10,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":0},\"lockoutPolicy\":{\"lockoutPeriodSeconds\":300,\"lockoutAfterFailures\":5,\"countFailuresWithin\":1200},\"disableInternalUserManagement\":false}"}' \
                       https://uaa.<PCF_DOMAIN>/identity-providers/6b5f3cdb-2b50-4d09-b054-62ffea7de0d6 -k
    
    PUT https://uaa.<PCF_DOMAIN>/identity-providers/6b5f3cdb-2b50-4d09-b054-62ffea7de0d6
    REQUEST BODY: "{"originKey":"uaa","name":"uaa","type":"uaa","config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":10,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":0},\"lockoutPolicy\":{\"lockoutPeriodSeconds\":300,\"lockoutAfterFailures\":5,\"countFailuresWithin\":1200},\"disableInternalUserManagement\":false}"}"
    REQUEST HEADERS:
      Accept: application/json
      Content-Type: application/json
      X-Identity-Zone-Id: uaa
    
    200 OK
    RESPONSE HEADERS:
      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      Content-Type: application/json;charset=UTF-8
      Date: Tue, 07 Feb 2017 22:34:16 GMT
      Expires: 0
      Pragma: no-cache
      Server: Apache-Coyote/1.1
      Strict-Transport-Security: max-age=31536000 ; includeSubDomains
      X-Content-Type-Options: nosniff
      X-Frame-Options: DENY
      X-Vcap-Request-Id: 50c3435e-2fee-4bbe-605c-480264b28dbc
      X-Xss-Protection: 1; mode=block
      Content-Length: 630
      Connection: close
    RESPONSE BODY:
    {
      "type": "uaa",
      "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"passwordPolicy\":{\"minLength\":10,\"maxLength\":255,\"requireUpperCaseCharacter\":0,\"requireLowerCaseCharacter\":0,\"requireDigit\":0,\"requireSpecialCharacter\":0,\"expirePasswordInMonths\":0},\"lockoutPolicy\":{\"lockoutPeriodSeconds\":300,\"lockoutAfterFailures\":5,\"countFailuresWithin\":1200},\"disableInternalUserManagement\":false}",
      "id": "6b5f3cdb-2b50-4d09-b054-62ffea7de0d6",
      "originKey": "uaa",
      "name": "uaa",
      "version": 1,
      "created": 946684800000,
      "last_modified": 1486506856000,
      "active": true,
      "identityZoneId": "uaa"
    }
  6. Now when a UAA users tries to change their password the new policy will be enforced.

Risks/Impact

This procedure completely bypasses any validation steps normally performed by Ops Manager.
If there is a syntax error or incorrect value in the config then it could lead to unforeseen issues which may require Pivotal Support to resolve.

Also be aware that setting certain password policies could lead to different issues:

Admin Password has Expired: https://discuss.pivotal.io/hc/en-us/articles/228639987-UAA-Admin-Password-has-Expired

Comments

Powered by Zendesk