Skip to content

Commit

Permalink
Merge pull request #3079 from cisagov/rotate-login-certs-documentation
Browse files Browse the repository at this point in the history 
Login certs rotation readme updates [No sandbox needed]
  • Loading branch information
@abroddrick
abroddrick authored Nov 14, 2024
2 parents 971d6d6 + 5f32977 commit d080f53
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 7 deletions.
54 changes: 51 additions & 3 deletions docs/operations/runbooks/rotate_application_secrets.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

Secrets are read from the running environment.

Secrets were originally created with:
Secrets are originally created with:

```sh
cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json
Expand Down Expand Up @@ -38,6 +38,49 @@ cf restage getgov-stable --strategy rolling

Non-secret environment variables can be declared in `manifest-<ENVIRONMENT>.json` directly.

## Rotating login.gov credentials
The DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY are reset once a year for each sandbox, see their sections below for more information on them and how to manually generate these keys. To save time, complete the following steps to rotate these credentials using a script in non-production environments:

### Step 1 login

To run the script make sure you are logged on the cf cli and make sure you have access to the [Login Partner Dashboard](https://dashboard.int.identitysandbox.gov/service_providers/2640).

### Step 2 Run the script

Run the following where "ENV" refers to whichever sandbox you want to reset credentials on. Note, the below assumes you are in the root directory of our app.

```bash
ops/scripts/rotate_login_certs.sh ENV
```

### Step 3 Respond to the terminal prompts

Respond to the prompts from the script and, when it asks for the cert information, the below is an example of what you should enter. Note for "Common Name" you should put the name of the sandbox and for "Email Address" it should be the address of who owns that sandbox (such as the developer's email, if it's a develop sandbox, or whoever ran this action otherwise)

```bash
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:DC
Locality Name (eg, city) []:DC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DHS
Organizational Unit Name (eg, section) []:CISA
Common Name (e.g. server FQDN or YOUR name) []:ENV
Email Address []: [email protected]
```

Note when this script is done it will have generated a .pem and a .crt file, as well as updated the cert info on the sandbox

### Step 4 Delete the old cert

Navigate to to the Login Partner Dashboard linked above and delete the old cert

### Step 5 add the new cert

In whichever directory you ran the script there should now be a .crt file named "public-ENV.crt", where ENV is the space name you used on Step 2. Upload this cert in the Login Partner Dashboard in the same section where you deleted the old one.

### Production only

This script should not be run in production. Instead, you will need to manually create the keys and then refrain from updating the sandbox. Once the cert is created you will upload it to the Login Partner Dashboard for our production system, and then open a ticket with them to update our existing Login.gov integration. Once they respond back saying it has been applied, you can then update the sandbox.

## DJANGO_SECRET_KEY

This is a standard Django secret key. See Django documentation for tips on generating a new one.
Expand All @@ -46,6 +89,7 @@ This is a standard Django secret key. See Django documentation for tips on gener

This is the base64 encoded private key used in the OpenID Connect authentication flow with Login.gov. It is used to sign a token during user login; the signature is examined by Login.gov before their API grants access to user data.

### Manually creating creating the Login Key
Generate a new key using this command (or whatever is most recently [recommended by Login.gov](https://developers.login.gov/testing/#creating-a-public-certificate)):

```bash
Expand All @@ -60,6 +104,8 @@ base64 private.pem

You also need to upload the `public.crt` key if recently created to the login.gov identity sandbox: https://dashboard.int.identitysandbox.gov/



## AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY

To access the AWS Simple Email Service, we need credentials from the CISA AWS
Expand All @@ -76,6 +122,8 @@ These are the client certificate and its private key used to identify the regist

The private key is protected by a passphrase for safer transport and storage.

Note this must be reset once a year.

These were generated with the following steps:

### Step 1: Generate an unencrypted private key with a named curve
Expand All @@ -90,7 +138,7 @@ openssl ecparam -name prime256v1 -genkey -out client_unencrypted.key
openssl pkcs8 -topk8 -v2 aes-256-cbc -in client_unencrypted.key -out client.key
```

### Generate the certificate
### Step 3: Generate the certificate

```bash
openssl req -new -x509 -days 365 -key client.key -out client.crt -subj "/C=US/ST=DC/L=Washington/O=GSA/OU=18F/CN=GOV Prototype Registrar"
Expand All @@ -112,7 +160,7 @@ base64 -i client.key
base64 -i client.crt
```

You'll need to give the new certificate to the registry vendor _before_ rotating it in production. Once it has been accepted by the vendor, make sure to update the kdbx file on Google Drive.
You'll need to give the new certificate to the registry vendor _before_ rotating it in production. Once it has been accepted by the vendor, make sure to update [the KBDX](https://docs.google.com/document/d/1_BbJmjYZNYLNh4jJPPnUEG9tFCzJrOc0nMrZrnSKKyw) file on Google Drive.

## REGISTRY_HOSTNAME

Expand Down
8 changes: 4 additions & 4 deletions ops/scripts/rotate_login_certs.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@


if [ -z "$1" ]; then
echo 'Please specify a new space to create (i.e. lmm)' >&2
echo 'Please specify a space to update (i.e. lmm)' >&2
exit 1
fi
echo "You need access to the login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)"
echo "You need access to the Login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)"
read -p " Do you have access to the partner dashboard mentioned above? (y/n) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
Expand Down Expand Up @@ -43,9 +43,9 @@ echo "Updating creds on the sandbox"
cf uups getgov-credentials -p credentials-$1.json
cf restage getgov-$1 --strategy rolling

echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/."
echo "\n\n\nNow you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/."
echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?"
echo "There are two things to update."
echo "1. Remove the old cert associated with the user's email (under Public Certificates)"
echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates."
echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox"
echo "Then, tell the developer to update their local .env file by retrieving their credentials from the sandbox"

0 comments on commit d080f53

Please sign in to comment.