Versions Compared

Old Version 1

changes.mady.by.user ubisebastian

Saved on

compared with

New Version 2

changes.mady.by.user John Jellema

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.



Info

These are the upgrade instructions to the latest release: SSO 9.0. If you are upgrading to a SSO 8.x.x version, please check the upgrade instructions for that particular release.

In the SSO version 9.0 there are of major changes that need to be taken into account in the upgrade process:

  • Java 8 is replaced with Java 11
    • step 1 for the previous version (Java 8)
    • steps 6 and 27 for the new version (Java 11)
  • Services are managed with systemd and no more with init.d
    • step 2 for the previous version (init.d)
    • step 22 and onward for the new version (systemd)
    • OpenLDAP version upgraded to 2.5.6
  • Backend has changed to use MDB instead of previous BDB which sets higher requirements on memory and disk storage
  • See System Recommendations and Supported Platforms for suggested memory and disk storage in regards to identities and sessions in the system
    • Two new parameters have been introduces in unix.config file that needs to be added manually after copying the old unix.config
  • openldap.maxsize = 10737418240
    • openldap.idlexp = 20
    Note
    Info

    These are the upgrade instructions to the latest release: SSO 9.1. If you are upgrading from a SSO 8.x.x version, ensure the upgrade steps to SSO 9.0 (Java11 and OpenLDAP mdb) have been considered.

    Note: we have removed all upgrade steps for SSO 8.x.x to SSO 9.0.0 - please ensure you follow the required upgrade instructions to move from SSO 8.x.x to SSO 9.0.0 then follow these upgrade steps to SSO 9.1.0



    1. For the version to be removed, make sure you still have Java 8 installed and JRE_HOME and JAVA_HOME set

    2. Stop the daemons that are running, ubisecure-accounting is a new service since 8.4:

      Code Block
      languagexml
      themeDefault
      /etc/init.d/ubilogin-server stop
/etc/init.d/ubilogin-directory stop
/etc/init.d/ubisecure-accounting stop


    3. Remove SSO and Accounting Service daemon configurations

      Code Block
      cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./config/tomcat/remove.sh


    4. Take a backup from Ubisecure Directory of the old SSO

      Code Block
      languagexml
      themeDefault
      /usr/local/ubisecure/ubilogin-sso/openldap/libexec/slapd -T cat -f "/usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf" -l /home/ubilogin/database.ldif


    5. Backup the existing Ubisecure SSO installation and OpenLDAP:

      Code Block
      languagexml
      themeDefault
      cd /usr/local/ubisecure
mv ubilogin-sso ubilogin-sso-old


    6. Replace Java installation with Java 11

      1. If you have a CustomerID installation running on the same SSO server node, stop the WildFly service at this point:

        Code Block
        systemctl stop wildfly


      2. Remove Java 8 installation
      3. Install Java 11 and set JAVA_HOME according to Installation requirements - SSO

    7. Extract the archive sso-x.x.x-unix.tar.gz to directory /usr/local/ubisecure use the full path to the archive you have downloaded

      Code Block
      languagexml
      themeDefault
      tar -xzvf sso-x.x.x-unix.tar.gz


    8. Copy unix.config file from the older version

      Code Block
      languagexml
      themeDefault
      cp /usr/local/ubisecure/ubilogin-sso-old/ubilogin/unix.config /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config


    9. Add the following lines if they do not exist in the file /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config, see further instructions for openldap specific values from here The Macro language - SSO

      Code Block
      languagexml
      themeDefault
      tomcat.instancename = ubilogin-server
openldap.instancename = ubilogin-directory
openldap.root= uid=System,ou=System,@suffix@
openldap.maxsize = 10737418240
openldap.idlexp = 20


    10. When upgrading from version 8.3.x or older, add the Accounting Service related settings if they do not exist in the file /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config. Modify the settings according to these guidelines.

      Code Block
      languagexml
      themeDefault
      # Accounting configuration
accounting.url = https://localhost:8442
accounting.proxy.local.url = @accounting.url@
accounting.instancename = ubisecure-accounting
accounting.datasource.url = jdbc:postgresql://localhost:5432/accountingdb
accounting.datasource.username = 
accounting.datasource.password = 
accounting.secret-key-location-uri = file:///${user.dir}/config/accounting-service.secret
accounting.actuator.username = accounting_admin
accounting.actuator.password = 
accounting.jms.broker.port = 36161
accounting.jms.broker.socket-timeout-ms = 10


    11. When upgrading from version 8.4 or newer, depending Depending of the location of your Accounting Service secret key you may need to copy the file from the older version. NOTE: The secret key must be the same during the entire reporting period which is a month, see Accounting Service security. Example (use the path you have set in the configuration):

      Code Block
      languagexml
      themeDefault
      cd /usr/local/ubisecure/ubilogin-sso-old
cp --parents accounting/config/accounting-service.secret ../ubilogin-sso


    12. Copy the following files and directories (recursively) from the previous installation to the matching ubilogin-sso directory. Note that Tomcat, Ubisecure SSO, and Accounting Service logs are retained. Let overwrite existing files or add flags -fn for the cp commands.

      When upgrading from versions 8.4 or newer, please
      Note
      Note

      Please notice that the Accounting Service custom configuration file:

      Code Block
      languagetext
      /usr/local/ubisecure/ubilogin-sso-old/ubilogin/custom/accounting/config/application.yaml

      which will copied with the copy statements below is not compatible with the newer version located at

      Code Block
      languagetext
      /usr/local/ubisecure/ubilogin-sso/ubilogin/config/accounting/config/application.yaml

      You need to check the following settings and manually convert them the corresponding new ones

      Since version 8.7:     server.use-forward-headers  →  server.forward-headers-strategy

                                          logging.file  →  logging.file.name

      Since version 9.0:     logging.file.max-history   logging.logback.rollingpolicy.max-history

      See also Accounting Service additional configuration.


      Code Block
      languagexml
      themeDefault
      cd /usr/local/ubisecure/ubilogin-sso-old
cp -r --parents ubilogin/custom/* ../ubilogin-sso
cp --parents ubilogin/config.index ../ubilogin-sso
cp -r --parents ubilogin/methods/* ../ubilogin-sso
cp -r --parents ubilogin/logs/* ../ubilogin-sso
cp -r --parents accounting/logs/* ../ubilogin-sso
cp -r --parents tomcat/logs/* ../ubilogin-sso
cp --parents ubilogin/webapps/cdc/WEB-INF/config.properties ../ubilogin-sso
cp --parents ubilogin/webapps/ROOT/robots.txt ../ubilogin-sso


    13. Check Password application

      Note

      NOTE:

      Password: Check from the current installation if Password application is enabled. To check, examine the file

      Code Block
      languagexml
      themeDefault
      /usr/local/ubisecure/ubilogin-sso-old/tomcat/conf/server.xml

      If the path /password is not commented out, Password application has been enabled in the previous installation.

      Skip this step if the Password application is not enabled.

      Copy the following files and directories from the previous installation to the matching ubilogin-sso directory:

      Code Block
      languagexml
      themeDefault
      /usr/local/ubisecure/ubilogin-sso-old/ubilogin/webapps/password/WEB-INF/password.properties
/usr/local/ubisecure/ubilogin-sso-old/ubilogin/webapps/password/WEB-INF/saml2


      Edit /usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat/conf/server.xml and uncomment following line:
      <Context path="/password" docBase="${catalina.base}/webapps/password"/>

      Also check /usr/local/ubisecure/ubilogin-sso-old/ubilogin/webapps/password/WEB-INF/web.xml for mail.smtp.host and mail.smtp.from configuration and copy those to new web.xml (/usr/local/ubisecure/ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml)

    14. Check Common Domain Cookie Discovery

      Note

      NOTE:

      Common Domain Cookie Discovery

      Check from the previous installation if Common Domain Cookie Discovery has been enabled.

      To check, examine the file

      Code Block
      languagexml
      themeDefault
      /usr/local/ubisecure/ubilogin-sso-old/tomcat/conf/server.xml

      If the path /cdc is not  commented out, Common Domain Cookie Discovery has been enabled in the previous  installation.

      If Common Domain Cookie Discovery has been enabled prior to the upgrade, re-enable the settings after upgrade according to the Common Domain Cookie Discovery document.


    15. Run the setup script:

      Info
      titleTip

      Before running the setup script check if you want to preserve some of the settings that may otherwise be regenerated, see: Preserve essential configuration settings in upgrade.


      Code Block
      languagexml
      themeDefault
      cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./setup.sh


    16. After the setup script, you may still need to check some files from the backup folder if you have customised them. Compare the files under /usr/local/ubisecure/ubilogin-sso-old with the ones under /usr/local/ubisecure/ubilogin-sso and copy the necessary changes from:

      Code Block
      /usr/local/ubisecure/ubilogin-sso-old/ubilogin/webapps/uas/WEB-INF/uas.properties
/usr/local/ubisecure/ubilogin-sso-old/ubilogin/webapps/totp/WEB-INF/application.yaml


    17. Ensure that PostgreSQL server is installed and running. When upgrading from version 8.3.x or older, install and prepare PostgreSQL server. Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service.

      See PostgreSQL preparation on Linux for more information and steps to accomplish.

    18. Ensure that PostgreSQL has been upgraded When upgrading from version 8.6 or older, upgrade PostgreSQL server (for supported versions, see System Recommendations) following PostgreSQL official upgrade documentation at https://www.postgresql.org/docs/12/upgrading.html.
      We have created Knowledge Base "How-to" article with information how we have tested the upgrade and also include estimated migration times. See Upgrade and migrate to new version of PostgreSQL

    19. If you have a clustered environment check that you have configured OpenLDAP replication in the following files as currently advised: /usr/local/ubisecure/ubilogin-sso-old/ubilogin/ldap/openldap/ldap_server_list.conf and /usr/local/ubisecure/ubilogin-sso-old/ubilogin/ldap/openldap/ldap_peer.conf, see OpenLDAP clustering: Install node 1. If not add the settings into these files before continuing with the OpenLDAP installation. If the settings are present copy the following files from the previous installation to the matching ubilogin-sso directory

      Code Block
      languagexml
      themeDefault
      /usr/local/ubisecure/ubilogin-sso-old/ubilogin/ldap/openldap/ldap*.conf


    20. If you have a clustered environment repeat the step advised in OpenLDAP clustering: Install node 1 and modify /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh. Replace <node1-hostname> with your hostname.

      Code Block
      languagexml
      themeDefault
      ADD the following new line below the line reading "esac"
LDAP_LISTEN_URLS="ldap://<node1-hostname>:389 $LDAP_LISTEN_URLS"


    21. Remove old OpenLDAP installation and Restore the Ubisecure Directory from the backup

      Code Block
      languagexml
      themeDefault
      ./ldap/openldap/remove.sh
./ldap/openldap/install.sh --no-initdata
su ubilogin -c "/usr/local/ubisecure/ubilogin-sso/openldap/libexec/slapd -T add -f "/usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf" -l /home/ubilogin/database.ldif"


    22. Start the ubilogin-directory daemon:

      Code Block
      languagexml
      themeDefault
      systemctl start ubilogin-directory


    23. Important: Add new entries and update LDAP secrets into OpenLDAP, ignore warnings about e.g. existing entries

      Code Block
      languagebash
      ./ldap/openldap/import-changes.sh


    24. Verify your accounting customisation appears as you requireWhen upgrading from version 8.3.x or older, configure Accounting Service

      Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contents in the location referred by accounting.secret-key-location in unix.config. See Accounting Service security about the usage of the key for pseudonymisation. The page contains a suggested script to create a secure enough secret in the default location.

      You may also customise other Accounting Service configuration settings for your needs, which is recommended. See Accounting Service additional configuration about the properties to set.

      Note

      When customising edit this file which is copied from the installation package by the setup script: /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/accounting/config/application.yaml


    25. Reinstall SSO Tomcat and Accounting Service configuration and start the services. Since version 8.4 remove should be done before installation directory is replaced (see step 3.). About Accounting Service (ubisecure-accounting) start see also Linux single node installation.

      Code Block
      languagexml
      themeDefault
      cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./config/tomcat/install.sh 
systemctl start ubisecure-accounting
systemctl start ubilogin-server


    26. Ensure that you have imported initial key. This should have been completed during your upgrade from SSO 8.x.x to SSO 9.0.0When upgrading from version 8.8.x or older, import initial key.

      Note

      This operation needs to be done only once when upgrading from version 8.8.x or older to version 8.9.x or newer, and should not be done for any follow-up updates from 8.9.x or newer to newer versions.

      Server signing and decryption key management was updated for SSO 8.9 and the initial signing and decryption key generated during SSO setup must be imported manually in the new location in Ubilogin Directory.

      Code Block
      languagebash
      cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./ldap/openldap/import.sh ./ldap/initial-key.ldif


    27. The system upgrade is complete. For the new Java installation you need to import SSO certificate to Java trust store. See also other steps in Single node installation finalization.

      Note

      NOTE:  If you have Ubisecure CustomerID installed, you need to copy the Authorizer files at this point. For instructions, please see Related tasks when upgrading SSO in Linux - CustomerID.


    28. Remove the backed up ubilogin-sso-old directory, or rename and retain it as desired.
    29. Clear your web browser’s cache before accessing the user interface.