Pivotal Knowledge Base


How to Change a Service Plan for JWT Token Signing Key


  • Pivotal Cloud Foundry (PCF) Elastic Runtime 1.10 and earlier
  • UAA 


This article explains the steps for setting a different token key for an SSO Service Plan (a.k.a. UAA Identity Zone). The instructions provide guidance on how to use the APIs documented for UAA in this document.


1. Obtain the UAA Admin Client Credentials for the ERT tile from Ops Manager.

2. Login to your domain via UAAC

   uaac target https://login.example.com

   uaac token client get admin

   Enter client select from Ops Manager

3. Use UAAC to retrieve the information for the identity zone you wish to change.

  • uaac curl -k /identity-zones/your-zone-id > filename.txt
  • Delete the header info and leave the JSON blob
  • If you need help identifying the zone ID, you can list all identity-zones via `uaac curl -k /identity-zones`.Alternatively, you can find the ID by looking in the URL when editing your plan: https://p-identity.your-domain-here.com/dashboard/edit_plan/(id-here, e.g. debb54d4-cd9a-4e6e-b016-56781a4a6edb)

4. Generate a new signing key

  • For example, `ssh-keygen -t rsa` generates a private key that can be used for signing. Refer to your security organization for acceptable key generation practices.

5. Take the value from your generated private key and insert it as a single line of text (replace all newlines with `\n`) into the value to pass for the update

For example,

  1. -----BEGIN RSA PRIVATE KEY-----
  2. MIIEogIBAAKCAQEA63iy3EpQG46eRzUKpI8sB/AQdbZwwrDkfPGg5Xt5xNM/wQrO
  3. 5l/yWp3lCElSqnKPJbCGu1DQThB47kGQjBoXL8TcrkxuCyuxaV7B5ryq3w+g3R1x
  4. -----END RSA PRIVATE KEY-----


  1. -----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEA63iy3EpQG46eRzUKpI8sB/AQdbZwwrDkfPGg5Xt5xNM/wQrO\n5l/yWp3lCElSqnKPJbCGu1DQThB47kGQjBoXL8TcrkxuCyuxaV7B5ryq3w+g3R1x\n-----END RSA PRIVATE KEY-----\n

One option to do this could be to use `:%s/\n/\\n` in vim text editor.

6. Update the token policy section with the updated key (formatted in the previous step) using the API references (the example of the section to be updated below) and also configure it as the activeKeyId

"tokenPolicy": {
"accessTokenValidity": -1,
"refreshTokenValidity": -1,
"jwtRevocable": false,
"refreshTokenUnique": false,
"refreshTokenFormat": "jwt",
"activeKeyId": "updatedKeyId",
"keys" : { 
"updatedKeyId" : { 
"signingKey" : "INSERT KEY TEXT HERE" 

7. Submit a UAAC curl request to update the identity zone with your updated configurations

  • uaac curl -k /identity-zones/your-zone-id -X PUT -H 'Content-Type: application/json' -d '{JSON HERE}'
  • You can compact the JSON to avoid issues with line spacing when using a command line, or pass in the file like uaac curl -k /identity-zones/your-zone-id -X PUT -H 'Content-Type: application/json' -d "$(cat filename.txt)"

8. Restart the client and resource server applications in that Service Plan that are using Spring Boot so that the new token key will take effect.

  • Not restarting client will cause logins and authorizations to stop working as newly issued tokens will be signed using the new token key.
  • Not restarting the resource server will cause clients using the new token key to be rejected, as the digital signature of newly issued token keys will be signed using the new token key.

Additional Information

How to Change a Service Plan's "Disable Redirect Parameter" to Enable Single SignOut


Powered by Zendesk