...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Info |
---|
Last reviewed: 2018-05-04 |
...
- Back up Ubisecure Directory. See the instructions in Backup and restore Ubisecure Directory - SSO.
Unpack the distribution package.
Extract the Ubisecure CustomerID distribution package in your home folder:Code Block language text mkdir ~/customerid cp customerid-x.x.x-linux.tar.gz ~/customerid/ cd ~/customerid tar xzvf customerid-x.x.x-linux.tar.gz
- Check Java.
Ubisecure CustomerID requires the correct versions of:
- Java Runtime Environment (JRE) for Servers
- The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to be included in the Java installation
Please check the Java installation based on requirements mentioned in Installation and (upgrade) requirements - CustomerID.
If you haven't done so already during Java installation, make sure you have the following environment variables set related to Java. The values below are just examples; modify the paths according to your Java installation.
• Set the JAVA_HOME environment variable to JDK folder (eg./usr/local/java/jdk1.8.0_181
) • Set the JRE_HOME environment variable to JRE folder (eg./usr/local/java/jdk1.8.0_181/jre
)Additional SSL Considerations
Ubisecure CustomerID can be configured to make calls to third-party software during the user registration workflows. Typically, data entered by the user is verified against a CRM or other backend service to determine which access rights a user should be given automatically based on an existing service agreement.
If you plan to use back channel connections from Ubisecure CustomerID over SSL encrypted connections, you will have to add each server's public key to the Server JRE's cacerts file. You can find the cacerts file under
${JREJAVA_HOME}/lib/security/cacerts
. Once you have downloaded the server's public key, you can add it to the key store with the following commands:Code Block language text cd ${JREJAV_HOME}/lib/security ${JAVA_HOME}/bin/keytool -importcert -trustcacerts -alias "<descriptive alias here>" .keystore cacerts -storepass changeit -file C:\path\to\certificate.cer
These commands can also be run at a later stage when third-party backend services are added to user registration workflows.
- Install WildFly. See the instructions in WildFly installation on Linux - CustomerID.
Extract the deployment template.
Create the folder/usr/local/ubisecure
if one does not exist yet and extract the archivecid-deployment-template-x.x.x-linux.tar.gz
therein:Code Block language text mkdir -p /usr/local/ubisecure cd /usr/local/ubisecure tar xzvf ~/customerid/cid-deployment-template-x.x.x-linux.tar.gz
An optional additional step is to also copy the file containing versioning information from the installation package to the installation folder:
Code Block language text cp ~/customerid/customerid-x.x.x-versioninfo.txt /usr/local/ubisecure/
- Edit the setup template and run setup. See the instructions in Setup template on Linux - CustomerID.
- Configure WildFly. See the instructions in WildFly configuration on Linux - CustomerID.
- Prepare PostgreSQL. See the instructions in PostgreSQL preparation on Linux - CustomerID.
Create a JDBC data source to WildFly.
Ubisecure CustomerID uses a JDBC data source to access the database, thus one needs to be created to WildFly before the Ubisecure CustomerID application can be deployed. There is a script in the distribution package's tools folder for this purpose:create-datasource.sh
. Note that thelinux.config
file must have been configured,setup.sh
must have been run successfully, and WildFly must be running before thecreate-datasource.sh
script can be run successfully.Code Block language text cd /usr/local/ubisecure/customerid/tools ./create-datasource.sh
- Create a directory service for Ubisecure CustomerID SQL in SSO Management. See the instructions in SQL directory service creation on Linux - CustomerID.
Create web agents for Ubisecure CustomerID.
Ubisecure CustomerID needs two web agents. The first one is used to provide login functionality to the Ubisecure CustomerID user interfaces and also the LDAP user account that Ubisecure CustomerID uses when accessing Ubisecure Directory. The second web agent is used when performing verifications during registrations. Ubisecure CustomerID installation package contains LDIF import files that need to be imported to Ubisecure Directory using the import functionality of Ubisecure SSO.Importing the web agents:
1. Copy the LDIF files in
/usr/local/ubisecure/customerid/application/ldap
on the Ubisecure CustomerID server to the Ubisecure SSO server. You can place them, for example, in the home directory in a folder calledcustomerid-ldifs
.
2. Use the scriptimport.sh
in the pathUBILOGIN_HOME/ldap/openldap/import.sh
to import these files:Code Block language text cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap ./import.sh ~/customerid-ldifs/customerid.ldif ./import.sh ~/customerid-ldifs/customerid-secrets.ldif
Note NOTE: If the import script prompts for the LDAP password, you can find the correct password in the file
/usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config
in the propertyopenldap.root.password
.- Create a directory service for Ubisecure CustomerID LDAP in SSO Management. See the instructions in LDAP directory service creation on Linux - CustomerID.
...
Install PostgreSQL JDBC driver to the SSO node(s).
Ubisecure CustomerID package includes the PostgreSQL JDBC driver.Note NOTE: The installation instructions concerning PostgreSQL JDBC driver to SSO are written for a single Ubisecure SSO node. If you have more nodes, these instructions should be followed on all of them.
To install the PostgreSQL JDBC driver to Ubisecure SSO:
Transfer the library
postgresql-x.x.x.jar
to the Ubisecure SSO server and copy it to the folder$JRE_HOME/usr/local/ubisecure/ubilogin-sso/lib/ext.
- Install Ubisecure CustomerID SSO Adapter to the SSO node(s). See the instructions in SSO adapter installation on Linux - CustomerID.
...
- Add authentication method configurations in Ubisecure SSO Management. See the instructions from Authentication method configuration on Linux - CustomerID.
Create a site specific configuration for Ubisecure CustomerID.
Note NOTE: This step is very important as some configuration options cannot be changed after this step.
Creating a site specific configuration for Ubisecure CustomerID can be done by editing the file
custom/eidm2.properties
and other Ubisecure CustomerID configuration files. For more information about the configuration options, refer to Configuration - CustomerID.Examples of the types of configurations required include:
- defining user registration workflows
- defining organization types and roles
- defining what strong authentication methods are available
- defining policies for login names
Generally, it is recommended to use a very basic
eidm2.properties
configuration first, ensure the system is fully configured and running, and then modify the settings again later to match the use case requirements.Execute the following commands to create and edit the
eidm2.properties
file:Code Block language text cd /usr/local/ubisecure/customerid/application/custom nano eidm2.properties
Typical entries include:Code Block language text # use email address as the username when logging in # this requires that directory.account.login=mail is added to password.2 authentication method settings # without this setting, the default uid is used as the username when logging in general.login.attribute = mail # where to redirect the user when an error occurs or user presses exit - generally home page of the target service general.default.returnUrl = https://www.example.com # where to redirect the user after logout has been performed general.default.logoutReturnUrl = https://www.example.com
Download Identity Provider metadata from Ubisecure SSO and generate Service Provider metadata
1. Download IDP metadata by running the following commands:Code Block language text cd /usr/local/ubisecure/customerid/tools ./get-metadata.sh
2. Initialize the Ubisecure CustomerID SPs:
Code Block language text cd /usr/local/ubisecure/customerid/tools ./init-eidm-sp.sh
3. Initialize the authentication provider:
Code Block language text cd /usr/local/ubisecure/customerid/tools ./init-eidm-ap.sh
- Deploy Ubisecure CustomerID to WildFly.
Ubisecure CustomerID uses WildFly as a J2EE Container. The next step is to deploy the
cid-ear-x.x.x.ear
andcid-worker-ear-x.x.x.ear
enterprise archives (EARs).Deploy the Ubisecure CustomerID applications to WildFly using the
deploy-ear.sh
command. When invoking the command, you must supply the path to the ear file, like in the example below:Code Block language text cd /usr/local/ubisecure/customerid/tools ./deploy-ear.sh ~/customerid/cid-ear-x.x.x.ear ./deploy-ear.sh ~/customerid/cid-worker-ear-x.x.x.ear
Configure SELinux.
If a reverse proxy is used in SELinux:Code Block language text /usr/sbin/setsebool httpd_can_network_connect 1
- Restart Ubisecure CustomerID.
When we restart Ubisecure CustomerID, we will also set final permissions to the installation folder for the user wildfly to make sure we won't have problems with file permissions.
Code Block language text systemctl stop wildfly.service chown -R wildfly. /usr/local/ubisecure/customerid chmod -R o-xrw /usr/local/ubisecure/customerid systemctl start wildfly.service
Initialize data storages.
Initialize database and repository by running the following scripts:Code Block language text cd /usr/local/ubisecure/customerid/tools ./init-customerid-data-storages.sh ./get-metadata-for-ap.sh
...