From df4fa55df36c9dbc289e281f8bfc907f990faa29 Mon Sep 17 00:00:00 2001 From: Alysia Broddrick Date: Wed, 13 Nov 2024 08:34:24 -0800 Subject: [PATCH 1/2] fixed typo --- ops/scripts/rotate_login_certs.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh index abefd8781..41976d750 100755 --- a/ops/scripts/rotate_login_certs.sh +++ b/ops/scripts/rotate_login_certs.sh @@ -5,10 +5,10 @@ if [ -z "$1" ]; then - echo 'Please specify a new space to create (i.e. lmm)' >&2 + echo 'Please specify a space to update (i.e. lmm)' >&2 exit 1 fi -echo "You need access to the login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)" +echo "You need access to the Login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)" read -p " Do you have access to the partner dashboard mentioned above? (y/n) " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then @@ -48,4 +48,4 @@ echo "Navigate to our application config: https://dashboard.int.identitysandbox. echo "There are two things to update." echo "1. Remove the old cert associated with the user's email (under Public Certificates)" echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates." -echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox" +echo "Then, tell the developer to update their local .env file by retrieving their credentials from the sandbox" From 5f329774bad1cebdf636108a4faf15e84606e6b1 Mon Sep 17 00:00:00 2001 From: Alysia Broddrick Date: Wed, 13 Nov 2024 17:10:35 -0800 Subject: [PATCH 2/2] added new login cert rotation documentation --- .../runbooks/rotate_application_secrets.md | 54 +++++++++++++++++-- ops/scripts/rotate_login_certs.sh | 2 +- 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/docs/operations/runbooks/rotate_application_secrets.md b/docs/operations/runbooks/rotate_application_secrets.md index 1094b4ff7..1d36f6a74 100644 --- a/docs/operations/runbooks/rotate_application_secrets.md +++ b/docs/operations/runbooks/rotate_application_secrets.md @@ -3,7 +3,7 @@ Secrets are read from the running environment. -Secrets were originally created with: +Secrets are originally created with: ```sh cf cups getgov-credentials -p credentials-.json @@ -38,6 +38,49 @@ cf restage getgov-stable --strategy rolling Non-secret environment variables can be declared in `manifest-.json` directly. +## Rotating login.gov credentials +The DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY are reset once a year for each sandbox, see their sections below for more information on them and how to manually generate these keys. To save time, complete the following steps to rotate these credentials using a script in non-production environments: + +### Step 1 login + +To run the script make sure you are logged on the cf cli and make sure you have access to the [Login Partner Dashboard](https://dashboard.int.identitysandbox.gov/service_providers/2640). + +### Step 2 Run the script + +Run the following where "ENV" refers to whichever sandbox you want to reset credentials on. Note, the below assumes you are in the root directory of our app. + +```bash +ops/scripts/rotate_login_certs.sh ENV +``` + +### Step 3 Respond to the terminal prompts + +Respond to the prompts from the script and, when it asks for the cert information, the below is an example of what you should enter. Note for "Common Name" you should put the name of the sandbox and for "Email Address" it should be the address of who owns that sandbox (such as the developer's email, if it's a develop sandbox, or whoever ran this action otherwise) + +```bash +Country Name (2 letter code) [AU]:US +State or Province Name (full name) [Some-State]:DC +Locality Name (eg, city) []:DC +Organization Name (eg, company) [Internet Widgits Pty Ltd]:DHS +Organizational Unit Name (eg, section) []:CISA +Common Name (e.g. server FQDN or YOUR name) []:ENV +Email Address []: example@something.com +``` + +Note when this script is done it will have generated a .pem and a .crt file, as well as updated the cert info on the sandbox + +### Step 4 Delete the old cert + +Navigate to to the Login Partner Dashboard linked above and delete the old cert + +### Step 5 add the new cert + +In whichever directory you ran the script there should now be a .crt file named "public-ENV.crt", where ENV is the space name you used on Step 2. Upload this cert in the Login Partner Dashboard in the same section where you deleted the old one. + +### Production only + +This script should not be run in production. Instead, you will need to manually create the keys and then refrain from updating the sandbox. Once the cert is created you will upload it to the Login Partner Dashboard for our production system, and then open a ticket with them to update our existing Login.gov integration. Once they respond back saying it has been applied, you can then update the sandbox. + ## DJANGO_SECRET_KEY This is a standard Django secret key. See Django documentation for tips on generating a new one. @@ -46,6 +89,7 @@ This is a standard Django secret key. See Django documentation for tips on gener This is the base64 encoded private key used in the OpenID Connect authentication flow with Login.gov. It is used to sign a token during user login; the signature is examined by Login.gov before their API grants access to user data. +### Manually creating creating the Login Key Generate a new key using this command (or whatever is most recently [recommended by Login.gov](https://developers.login.gov/testing/#creating-a-public-certificate)): ```bash @@ -60,6 +104,8 @@ base64 private.pem You also need to upload the `public.crt` key if recently created to the login.gov identity sandbox: https://dashboard.int.identitysandbox.gov/ + + ## AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY To access the AWS Simple Email Service, we need credentials from the CISA AWS @@ -76,6 +122,8 @@ These are the client certificate and its private key used to identify the regist The private key is protected by a passphrase for safer transport and storage. +Note this must be reset once a year. + These were generated with the following steps: ### Step 1: Generate an unencrypted private key with a named curve @@ -90,7 +138,7 @@ openssl ecparam -name prime256v1 -genkey -out client_unencrypted.key openssl pkcs8 -topk8 -v2 aes-256-cbc -in client_unencrypted.key -out client.key ``` -### Generate the certificate +### Step 3: Generate the certificate ```bash openssl req -new -x509 -days 365 -key client.key -out client.crt -subj "/C=US/ST=DC/L=Washington/O=GSA/OU=18F/CN=GOV Prototype Registrar" @@ -112,7 +160,7 @@ base64 -i client.key base64 -i client.crt ``` -You'll need to give the new certificate to the registry vendor _before_ rotating it in production. Once it has been accepted by the vendor, make sure to update the kdbx file on Google Drive. +You'll need to give the new certificate to the registry vendor _before_ rotating it in production. Once it has been accepted by the vendor, make sure to update [the KBDX](https://docs.google.com/document/d/1_BbJmjYZNYLNh4jJPPnUEG9tFCzJrOc0nMrZrnSKKyw) file on Google Drive. ## REGISTRY_HOSTNAME diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh index 41976d750..31363fe36 100755 --- a/ops/scripts/rotate_login_certs.sh +++ b/ops/scripts/rotate_login_certs.sh @@ -43,7 +43,7 @@ echo "Updating creds on the sandbox" cf uups getgov-credentials -p credentials-$1.json cf restage getgov-$1 --strategy rolling -echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/." +echo "\n\n\nNow you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/." echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?" echo "There are two things to update." echo "1. Remove the old cert associated with the user's email (under Public Certificates)"