Info |
---|
These are the upgrade instructions to the latest release: SSO 9. 1. If you are upgrading from a SSO 8.x.x version, |
Note |
---|
In the SSO version 9.0 Java 8 is replaced with Java 11 which needs to be taken into account in the upgrade process:
|
ensure the upgrade steps to SSO 9.0 (Java11 and OpenLDAP mdb) have been considered. Note: we have removed all upgrade steps for SSO 8.x.x to SSO 9.0.0 - please ensure you follow the required upgrade instructions to move from SSO 8.x.x to SSO 9.0.0 then follow these upgrade steps to SSO 9.1.0 |
Note |
---|
IMPORTANT: Sign in using an Administrator account - the same account used during initial product installation. |
- For the version to be removed, make sure you still have Java 8 installed and JRE_HOME and JAVA_HOME set
Stop the services that are running,
ubisecureaccounting
is a new service since 8.4.Code Block language xml theme Default net stop ubiloginserver net stop ubilogindirectory net stop ubisecureaccounting
- Backup and restore - Ubisecure Directory
Remove SSO and Accounting Service Windows service configurations
Code Block language xml theme Default cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" config\tomcat\remove.cmd
Move the existing installation to ubilogin-sso-old directory.
Replace Java installation with Java 11Code Block language xml theme Default cd "C:\Program Files\Ubisecure\" move ubilogin-sso ubilogin-sso-old
If you have a CustomerID installation running on the same SSO server node, stop the WildFly service at this point:
codenet stop wildfly
Remove Java 8 installation
- Install Java 11 and set JAVA_HOME according to Installation requirements - SSO
- Extract the archive
ubilogin-sso-8.x.x.xxxxx.zip
to a temporary location. - Move the complete unzipped ubilogin-sso directory from the distribution package to
C:\Program Files\Ubisecure
. Copy
win32.config
andconfig.index
file from the older version. Overwriteconfig.index
.Code Block language xml theme Default copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\win32.config" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\config.index" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config.index"
If upgrading from version prior to 6.8, add the following lines to the file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config, if not there yet.
Code Block language xml theme Default tomcat.instancename = UbiloginServer tomcat.username = NT AUTHORITY\\LocalService adam.username = NT AUTHORITY\\NetworkService
When upgrading from version 8.3.x or older, add the Verify the following Accounting Service related settings if they do not exist in the file
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config
. Modify the settings are according to your requirements, check these guidelines.Code Block language xml theme Default # Accounting configuration accounting.url = https://localhost:8442 accounting.proxy.local.url = @accounting.url@ accounting.instancename = UbisecureAccounting accounting.username = @tomcat.username@ accounting.datasource.url = jdbc:postgresql://localhost:5432/accountingdb accounting.datasource.username = accounting.datasource.password = accounting.secret-key-location-uri = file:///${user.dir}/config/accounting-service.secret accounting.actuator.username = accounting_admin accounting.actuator.password = accounting.jms.broker.port = 36161 accounting.jms.broker.socket-timeout-ms = 10
When upgrading from version 8.4 or newer, depending Depending of the location of your Accounting Service secret key you may need to copy the file from the older version. NOTE: The secret key must be the same during the entire reporting period which is a month, see Accounting Service security. Example (use the path you have set in the configuration):
Code Block language xml theme Default mkdir "C:\Program Files\Ubisecure\ubilogin-sso\accounting\config" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\accounting\config\accounting-service.secret" "C:\Program Files\Ubisecure\ubilogin-sso\accounting\config"
Copy the following files and directories (recursively) from the previous installation to the matching
ubilogin-sso
directory. Note that Tomcat, Ubisecure SSO, and Accounting Service logs are retained.Note When upgrading from versions 8.4 or newer, please notice Verify that the Accounting Service custom configuration file:
Code Block language text C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\custom\accounting\config\application.yaml
which will copied with the
copy
statements below is not compatible with the newer version in the installation package located atCode Block language text C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\accounting\config\application.yaml
You need to check the following settings and manually convert them the corresponding new ones
Since version 8.7:server.use-forward-headers
→server.forward-headers-strategy
logging.file
→logging.file.name
Since version 9.0:
logging.file.max-history
→logging.logback.rollingpolicy.max-history
Code Block language xml theme Default xcopy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\custom" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom" /e /y xcopy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\methods" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\methods" /e /y xcopy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\logs" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\logs" /e /y xcopy "C:\Program Files\Ubisecure\ubilogin-sso-old\tomcat\logs" "C:\Program Files\Ubisecure\ubilogin-sso\tomcat\logs" /e /y xcopy "C:\Program Files\Ubisecure\ubilogin-sso-old\accounting\logs" "C:\Program Files\Ubisecure\ubilogin-sso\accounting\logs" /e /y copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\cdc\WEB-INF\config.properties" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\cdc\WEB-INF\config.properties" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\ROOT\robots.txt" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\ROOT\robots.txt"
Check the Common Domain Cookie Discovery.
Note NOTE:
Common Domain Cookie Discovery: Check from the current installation if Common Domain Cookie Discovery is installed . To check, examine the file
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\tomcat\conf\server.xml
If the path /cdc is not commented out, Common Domain Cookie Discovery has been enabled in the previous installation.If Common Domain Cookie Discovery has been installed prior to the update, re-enable the settings after update according to the Common Domain Cookie Discovery document.
Run the setup script
Info title Tip Before running the setup script check if you want to preserve some of the settings that may otherwise be regenerated, see: Preserve essential configuration settings in upgrade.
Note NOTE: Ubisecure System Administrator password will be reset after upgrading the directory. The password will be set to the default value specified in the configuration file (win32.config or unix.config) with the key system.password.
You should either
a) Set the default password in the configuration file to a new stronger password before updating, or
b) Block external HTTP/S access to the system during the update process. You will be prompted to enter a new system password during the first login attempt. After the password is changed, unblock access to the system.Code Block language xml theme Default cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" setup.cmd
After the setup script, you may still need to check some files from the backup folder if you have customized them. Compare the files under
C:\Program Files\Ubisecure\ubilogin-sso-old
with the ones underC:\Program Files\Ubisecure\ubilogin-sso
and copy the necessary changes from:Code Block C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\uas\WEB-INF\uas.properties C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\totp\WEB-INF\application.yaml
- When upgrading from version 8.3.x or older, install and prepare PostgreSQL server. Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service. See PostgreSQL preparation on Windows for more information and steps to accomplish.
When upgrading from version 8.6 or older, upgrade PostgreSQL server (Ensure that a supported version of PostgreSQL is installed and running - for supported versions, see System Recommendations) following PostgreSQL official upgrade documentation at https://www.postgresql.org/docs/12/upgrading.html.
We have created Knowledge Base "How-to" article with information how we have tested the upgrade and also include estimated migration times. See , additional links in our documentation: PostgreSQL preparation on Windows,Upgrade and migrate to new version of PostgreSQL Start the UbiloginDirectory service
Code Block language xml theme Default net start ubilogindirectory
- Upgrading Ubisecure DirectoryTo update your ADAM or AD LDS installation, the schema and directory settings of the instance must be updated. Before starting, make sure that you are logged in with the same user account that was used to install ADAM or AD LDS.
To update the schema and directory settings, execute the command adaminstall.cmd shown below.This command updates the LDAP schema and does not delete existing user or configuration data.
Code Block language xml theme Default cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap" adam\adaminstall.cmd
Add new entries and update LDAP secrets:
Code Block adam\import-changes.cmd
Check Password application.
Note NOTE:
Password: Check from the current installation if Password application is enabled. To check, examine the file
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\tomcat\conf\server.xml
If the path /password is not commented out, Password application has been enabled in the previous installation.
Skip this step if the Password application is not enabled.
Copy the following files to the matching ubilogin-sso directory:
Code Block language xml theme Default C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\password.properties C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\saml2
Edit
server.xml file
and uncomment:<Context path="/password" docBase="${catalina.base}/webapps/password"/>
Code Block language xml theme Default notepad C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml
Also check web.xml for mail.smtp.host and mail.smtp.from configuration and copy those to new web.xml (C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\password\WEB-INF\web.xml)
Code Block language xml theme Default notepad C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\web.xml
When upgrading from version 8.3.x or older, configure Accounting Service
Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contentsVerify your Accounting Service customisation in
. The page contains a suggested script to create a secure enough secret in the default location.You may also customise other Accounting Service configuration settings for your needs, which is recommendedC:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\accounting\config\application.yaml
appears as you require, check Accounting Service additional configuration about the properties to set. Remember secret key in the location referred byaccounting.secret-key-location
inwin32.config
must exist. See Accounting Service security about the usage of the key for pseudonymisation.
See Accounting Service additional configuration about the properties to set.Note When customising edit this file which is copied from the installation package by the setup script: C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\accounting\config\application.yaml
Update Tomcat and Accounting Service configuration and restart the services. Since version 8.4 remove should be done before installation directory is replaced. About Accounting Service start see also Windows single node installation.
Code Block language xml theme Default cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" config\tomcat\install.cmd
When upgrading from version 8.8.x or older, import initial keyEnsure that you have imported initial signing and decryption key via
initial-key.ldif
. This should have been completed during earlier upgrades.Note This Import key operation needs to be done only once when upgrading from version 8.8.x or older to version 8.9.x or newer, and should not be done for any follow-up updates from 8.9.x or newer to newer versions.
Server signing and decryption key management was updated for SSO 8.9 and the initial signing and decryption key generated during SSO setup must be imported manually in the new location in Ubilogin Directory.
Code Block language text cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" ldap\adam\import .
cmd ldap\initial-key.ldifThe system upgrade is complete. See , see also Single node installation finalization. For the new Java installation you need to import SSO certificate to Java trust store.
Note NOTE: If you have Ubisecure CustomerID installed, you need to copy the Authorizer files at this point. For instructions, please see document Ubisecure CustomerID Installation, chapter Related tasks when upgrading SSO in Windows - CustomerID. - Either securely remove the backed up ubilogin-sso-old directory, or rename it and store it in a secure location. All configuration files in the old installation directory (win32.config and unix.config) should either be removed from the system or otherwise protected from unauthorized users.
- Clear your web browser’s cache before accessing the user interface.