Info |
---|
Last reviewed: 2020-05-29 |
Note |
---|
IMPORTANT: Sign in using an Administrator account - the same account used during initial product installation. |
...
Stop the services that are running, ubisecureaccounting
is a new service since 8.4.
Code Block | ||||
---|---|---|---|---|
| ||||
net stop ubiloginserver
net stop ubilogindirectory
net stop ubisecureaccounting |
...
Remove SSO and Accounting Service Windows service configurations
Code Block | ||||
---|---|---|---|---|
| ||||
cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
config\tomcat\remove.cmd
|
...
Move the existing installation to ubilogin-sso-old directory.
Code Block | ||||
---|---|---|---|---|
| ||||
cd /d "C:\Program Files\Ubisecure\"
move ubilogin-sso ubilogin-sso-old |
...
Copy win32.config
and config.index
file from the older version. Overwrite config.index
.
...
Info |
---|
Last reviewed: 2020-05-29 |
Note |
---|
IMPORTANT: Sign in using an Administrator account - the same account used during initial product installation. |
- Make sure you have Java installed, JRE_HOME and JAVA_HOME set according to Installation requirements - SSO.
Stop the services that are running,
ubisecureaccounting
is a new service since 8.4.Code Block language xml theme Default copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\win32.config" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config" copynet stop ubiloginserver net stop ubilogindirectory net stop ubisecureaccounting
- Backup and restore - Ubisecure Directory
Remove SSO and Accounting Service Windows service configurations
If upgrading from version prior to 6.8, add the following lines to the file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config, if not there yet.Code Block language xml theme Default cd /d "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\config.index" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config.index"
config\tomcat\remove.cmd
Move the existing installation to ubilogin-sso-old directory.
When upgrading from version 8.3.x or older, add the Accounting Service related settings if they do not exist in the fileCode Block language xml theme Default tomcat.instancename = UbiloginServer tomcat.username = NT AUTHORITY\\LocalService adam.username = NT AUTHORITY\\NetworkService
cd /d "C:\Program Files\Ubisecure\" move ubilogin-sso ubilogin-sso-old
- Extract the archive
ubilogin-sso-8.x.x.xxxxx.zip
to a temporary location. - Move the complete unzipped ubilogin-sso directory from the distribution package to
C:\Program Files\Ubisecure
\ubilogin-sso\ubilogin\. Copy
win32.config
andconfig.
Modify the settings according to these guidelines.index
file from the older version. Overwriteconfig.index
.Code Block language xml theme Default # Accounting configuration accounting.url = https://localhost:8442 accounting.proxy.local.url = @accounting.url@ accounting.instancename = UbisecureAccounting accounting.username = @tomcat.username@ accounting.datasource.url = jdbc:postgresql://localhost:5432/accountingdb accounting.datasource.username = accounting.datasource.password = accounting.secret-key-location-uri = file:///${user.dir}/config/accounting-service.secret accounting.actuator.username = accounting_admin accounting.actuator.password = accounting.jms.broker.port = 36161 accounting.jms.broker.socket-timeout-ms = 10
When upgrading from version 8.4 or later, copy Accounting Service logs from the old SSO version:
Code Block language xml theme Default mkdir "C:\Program Files\Ubisecure\ubilogin-sso\accounting\logs" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\accounting\logs" "C:\Program Files\Ubisecure\ubilogin-sso\accounting\logs"
When upgrading from version 8.4 or later, depending of the location of your Accounting Service secret key you may need to copy the file from the older version. NOTE: The secret key must be the same during the entire reporting period which is a month, see Accounting Service security. Example (use the path you have set in the configuration):
Code Block language xml theme Default mkdir copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\win32.config" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\config.index" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config.index"
If upgrading from version prior to 6.8, add the following lines to the file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config, if not there yet.
Code Block language xml theme Default tomcat.instancename = UbiloginServer tomcat.username = NT AUTHORITY\\LocalService adam.username = NT AUTHORITY\\NetworkService
When upgrading to version 8.4 add the Accounting Service related settings if they do not exist in the file
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config
. Modify the settings according to these guidelines.Code Block language xml theme Default # Accounting configuration accounting.url = https://localhost:8442 accounting.proxy.local.url = @accounting.url@ accounting.instancename = UbisecureAccounting accounting.username = @tomcat.username@ accounting.datasource.url = jdbc:postgresql://localhost:5432/accountingdb accounting.datasource.username = accounting.datasource.password = accounting.secret-key-location-uri = file:///${user.dir}/config/accounting-service.secret accounting.actuator.username = accounting_admin accounting.actuator.password = accounting.jms.broker.port = 36161 accounting.jms.broker.socket-timeout-ms = 10
If Accounting Service has already been installed and in use copy Accounting Service logs from the older version:
Code Block language xml theme Default mkdir "C:\Program Files\Ubisecure\ubilogin-sso\accounting\configlogs" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\accounting\config\accounting-service.secret" "C:\logs" "C:\Program Files\Ubisecure\ubilogin-sso\accounting\configlogs"
Copy the following files and directories (recursively) from the previous installation to the matching ubilogin-sso directory. Note that both Tomcat and Ubisecure SSO logs are retained.If Accounting Service has already been installed and in use depending of the location of your Accounting Service secret key you may need to copy the file from the older version. NOTE: The secret key must be the same during the entire reporting period which is a month, see Accounting Service security. Example (use the path you have set in the configuration):
Code Block language xml theme Default xcopymkdir "C:\Program Files\Ubisecure\ubilogin-sso-old\ubiloginaccounting\customconfig" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\custom" /e /y xcopy accounting\config\accounting-service.secret" "C:\Program Files\Ubisecure\ubilogin-sso-old\ubiloginaccounting\methods" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\methods" /e /y xcopy "config"
Copy the following files and directories (recursively) from the previous installation to the matching ubilogin-sso directory. Note that both Tomcat and Ubisecure SSO logs are retained.
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\custom\logs"* "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\logs" /e /y xcopy "config.index C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\tomcatmethods\logs"* "C:\Program Files\Ubisecure\ubilogin-sso-old\tomcatubilogin\logs" /e /y copy "\* C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogintomcat\webapps\uas\WEB-INF\uas.properties" "logs\* C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\uas\WEB-INF\uas.properties" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\cdc\WEB-INF\config.properties" "C:\Programproperties
If Updating to a version prior to 8.2, copy the following file from the previous installation to the matching ubilogin-sso directory.
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\cdc\WEB-INF\config.properties" /y copy-old\java\windows-x64\jre\lib\security\cacerts
If Updating from a version prior to 8.2 to version 8.2 or later and using an external user directory (other than Ubilogin Directory) or SMTP server, import the AD and/or SMTP server certificates to the Java keystore file.
Note NOTE: Java has been removed from the SSO installation since version 8.2. SSO uses currently Java in the C:\Program Files\Java\ directory. To view all certificates from the old java keystore file, execute the command:
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\security>..\..\bin\keytool -list -keystore cacerts
To export a certificate from the old java keystore file, execute the command:
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\security>..\..\bin\keytool -exportcert -keystore cacerts -alias <"user_defined_alias"> -file <path_to_the_certificate_file>
To import a certificate to the current java keystore, execute the command:
Code Block language xml theme Default C:\Program Files\java\jrex.x.x_xxx\lib\security>..\..\bin\keytool -import -file <path_to_the_certificate_file> -alias <"user_defined_alias"> -keystore cacerts
To verify that the certificate was succesfully added to the Java keystore, execute the command:
Code Block language xml theme Default C:\Program Files\java\jrex.x.x_xxx\lib\security>..\..\bin\keytool -list -keystore cacerts -alias <"user_defined_alias">
Check the Common Domain Cookie Discovery and SAML Compatibility Flags.
Note NOTE:Common Domain Cookie DiscoveryCheck from the current installation if Common Domain Cookie Discovery is installed or SAML Compatibility Flags have been used. To check, examine the file
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\tomcat\conf\server.xml
If the path /cdc is not commented out, Common Domain Cookie Discovery has been enabled in the previous installation.If Common Domain Cookie Discovery has been installed prior to the update, re-enable the settings after update according to the Common Domain Cookie Discovery Installation document.SAML Compatibility Flags. Older versions of SSO stored server-level SAML Compatibility Flags in the application configuration files. These flags are now stored in LDAP and managed through the user interfaces.If SAML Compatibility Flags have been activated prior to the update remember to set those again manually. To check, examine
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\uas\WEB-INF\uas.properties
If the line
Code Block language xml theme Default com.ubisecure.ubilogin.uas.saml2.compatibility =
exists and is not blank, make a note of all values and copy them later to the main screen of SSO Management to the field Compatibility Flags when installation is completed. Multiple values are separated with a whitespace character. The values are case sensitive. The values should remain visible on the screen after pressing Update. If the value disappears, check for typing errors.
Run the setup script
Note NOTE: Ubisecure System Administrator password will be reset after upgrading the directory. The password will be set to the default value specified in the configuration file (win32.config or unix.config) with the key system.password.
You should either
a) Set the default password in the configuration file to a new stronger password before updating, or
b) Block external HTTP/S access to the system during the update process. You will be prompted to enter a new system password during the first login attempt. After the password is changed, unblock access to the system.Code Block language xml theme Default cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" setup.cmd
- When upgrading to version 8.4 install and prepare PostgreSQL. Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service. See PostgreSQL preparation on Windows for more information and steps to accomplish.
Start the UbiloginDirectory service
Code Block language xml theme Default net start ubilogindirectory
- Upgrading Ubisecure DirectoryTo update your ADAM or AD LDS installation, the schema and directory settings of the instance must be updated. Before starting, make sure that you are logged in with the same user account that was used to install ADAM or AD LDS.
To update the schema and directory settings, execute the command adaminstall.cmd shown below.This command updates the LDAP schema and does not delete existing user or configuration data.
Check the Common Domain Cookie Discovery.Code Block language xml theme Default cd /d "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\ROOT\robots.txt" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\ROOT\robots.txt"
ldap" adam\adaminstall.cmd
Note NOTE: Common Domain Cookie Discovery: Check from the current installation if Common Domain Cookie Discovery is installed . To check, examine the file
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\tomcat\conf\server.xml
If the path /cdc is not commented out, Common Domain Cookie Discovery has been enabled in the previous installation.If Common Domain Cookie Discovery has been installed prior to the update, re-enable the settings after update according to the Common Domain Cookie Discovery document.
Run the setup script
Note NOTE: Ubisecure System Administrator password will be reset after upgrading the directory. The password will be set to the default value specified in the configuration file (win32.config or unix.config) with the key system.password.
You should either
a) Set the default password in the configuration file to a new stronger password before updating, or
b) Block external HTTP/S access to the system during the update process. You will be prompted to enter a new system password during the first login attempt. After the password is changed, unblock access to the system. Please note that the system password is reset to the value contained in ubilogin\ldap\system-password.ldifAt minimum you need to add Accounting Service related settings to LDAP use e.g. this command:
Code Block adam\import-changes.cmd
If robots.txt has been changed, copy the following file from the previous installation to the matching ubilogin-sso directory:
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\ROOT\robots.txt
If the Password reset and password change application is used, copy the following files and directories from the previous installation to the matching ubilogin-sso directory. Also, edit the server.xml file and check the web.xml file configuration. Skip this step if the Password reset and password change application is not used.Copy the following files to the matching ubilogin-sso directory:
When upgrading from version 8.3.x or older, install and prepare PostgreSQL. Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service. See PostgreSQL preparation on Windows for more information and steps to accomplish.Code Block language xml theme Default cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" setup.cmd
Start the UbiloginDirectory service-old\ubilogin\webapps\password\WEB-INF\password.properties C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\saml2
Edit
server.xml file
and uncomment:
<Context path="/password" docBase="${catalina.base}/webapps/password"/>
Upgrading Ubisecure DirectoryCode Block language xml theme Default net start ubilogindirectory
To update your ADAM or AD LDS installation, the schema and directory settings of the instance must be updated. Before starting, make sure that you are logged in with the same user account that was used to install ADAM or AD LDS.To update the schema and directory settings, execute the command adaminstall.cmd shown below.This command updates the LDAP schema and does not delete existing user or configuration data.
Code Block language xml theme Default cd /d "C:\Program notepad C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml
Also check web.xml for mail.smtp.host and mail.smtp.from configuration and copy those to new web.xml (C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\
ldap" adam\adaminstall.cmdWHAT IS THE MEANING OF THIS NOTE? Isn't the password restored by following the steps below? Why it's important to note this, what should the installer do based on this information?Note NOTE: Please note that the system password is reset to the value contained in ubilogin\ldap\system-password.ldif THE FOLLOWING IS VERY UNCLEAR. Should the command be run or not? What else should/could be done ("at minimum")?
At minimum you need to add Accounting Service related settings to LDAP use e.g. this command:Code Block adam\import-changes.cmd
HOW TO CHECK IF THESE APPLICATIONS ARE USED OR NOT?
If the Password reset and password change application is used, copy the following files and directories webapps\password\WEB-INF\web.xml)Code Block language xml theme Default notepad C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\web.xml
If the environment has an external SQL database, copy the JDBC driver provided by the database vendor from the previous installation to the matching ubilogin-sso directory. Also, edit the server.xml file and check the web.xml file configuration. Skip this step if the Password reset and password change application is not used.
PASSWORD-RESET MISSING HERE?
Copy the following files to the matching ubilogin-sso directoryjava directory depending on the old and new SSO versions. Skip the step if the environment does not have an external SQL database or if both old and new SSO versions are 8.2 or later.Old and new SSO versions prior 8.2:Code Block C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\password.propertieslanguage xml theme Default copy C:\Program Files\Ubisecure\ubilogin-sso-old\java\ubiloginwindows-x64\webappsjre\passwordlib\WEB-INF\saml2
Edit
server.xml file
and uncomment:
<Context path="/password" docBase="${catalina.base}/webapps/password"/>
Also check web.xml for mail.smtp.host and mail.smtp.from configuration and copy those to new web.xml (Code Block language xml theme Default notepadext\{INSERT DRIVER FILENAME} C:\Program Files\Ubisecure\ubilogin-sso\ubiloginjava\configwindows-x64\tomcatjre\conf\server.xml
lib\ext
Old SSO version prior to 8.2 and new SSO version 8.2 or later:
\ubilogin\webapps\password\WEB-INF\web.xml)Code Block language xml theme Default copy C:\Program Files\Ubisecure\ubilogin-sso
Code Block language xml theme Default notepad-old\java\windows-x64\jre\lib\ext\{INSERT DRIVER FILENAME} C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\web.xml
When upgrading from version 8.3.x or older, configure Accounting Service
IF POSSIBLE, ADD CLEAR INSTRUCTIONS HERE INSTEAD OF THE LINK.Java\jrex.x.x_xxx\lib\ext{INSERT DRIVER FILENAME}
When upgrading to version 8.4 configure Accounting Service
Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contents in the location referred by
accounting.secret-key-location
inwin32.config
. See Accounting Service security about the usage of the key for pseudonymisation.You may also customise other Accounting Service configuration settings for your needs, which is recommended. See Accounting Service additional configuration about the properties to set.
Note When customising edit this file which is copied from the installation package by the setup script: C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\accounting\config\application.yaml
Update Tomcat and Accounting Service configuration and restart the services. Since version 8.4 remove should be done before installation directory is replaced. About Accounting Service start see also Windows single node installation.
Code Block language xml theme Default cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" config\tomcat\install.cmd
The system upgrade is complete. See also Single node installation finalization.
Note NOTE: If you have Ubisecure CustomerID installed, you need to copy the Authorizer files at this point. For instructions, please see document Ubisecure CustomerID Installation, chapter Customer ID SSO Adapter Installation on Windows. - Either securely remove the backed up ubilogin-sso-old directory, or rename it and store it in a secure location. All configuration files in the old installation directory (win32.config and unix.config) should either be removed from the system or otherwise protected from unauthorized users.
- Clear your web browser’s cache before accessing the user interface.
The user interface has changed in version 7.1 to support responsive design. Existing user interfaces are supported, but must be updated to enable backward compatibility. directory. For each template.properties file in the custom\templates directory, add the following text as the first line of the file
Code Block language xml theme Default # enable backward compatibility for SSO 6.x templates@import = sso6
If the template contains a CSS reference, add the following line to the top of the referenced CSS file.
Code Block language xml theme Default /* enable backward compatibility for SSO 6.x templates */@import "sso6.css";
If the CSS file contains references to graphical or other resources hosted by the Ubisecure SSO as a resource, ensure the resource path is a relative path. An example is shown below:
Code Block language xml theme Default #intro { background-image: url("resource/intro-box-custom-background.png") }
Test all custom user interfaces. To implement a responsive design, create a new template, removing the “import” lines and adjust the CSS tags to match new CSS design. The responsive CSS is available after default installation at the address (where UAS_URL is the hostname for the installation):
Code Block language xml theme Default https://UAS_URL/uas/template/default/default.css
...