Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

...

Info

Last reviewed: 2018-05-04

Follow the steps in order. Issue all commands in Windows command prompt using the Administrator user account.

Backing Up Ubisecure Directory (ADAM or AD LDS)

Backup the Ubisecure Directory before Ubisecure CustomerID installation. See Ubisecure SSO & CustomerID Backup and Restore Guide for detailed instructions.

Unpacking the Distribution Package

Unzip the Ubisecure CustomerID zip archive customerid-X.X.X-windows.zip into a temporary folder, for example %USERPROFILE%\Desktop\customerid.

Checking Java

Ubisecure CustomerID requires that a correct version of Java Runtime Environment (JRE) for Servers is available on the server on which Ubisecure CustomerID will be installed. The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be included in the Java installation. Please check the Java installation based on requirements mentioned in Installation and (Upgrade Requirements).
If you haven't done so already during Java installation, make sure you have the following environment variables set related to Java. Modify the paths according to your Java installation.
Set JAVA_HOME to C:\Program Files\Java\jdk1.8.0_121
Set JRE_HOME to C:\Program Files\Java\jdk1.8.0_121\jre

Environment variables can be set Control Panel → View Advanced System Properties → Environment Variables → System Variables

Image Removed

Installing WildFly Application Server

Ubisecure SSO service needs to be stopped at this point if SSO is installed on the same server as CID and SSO is using port 8443.

Code Block
languagetext
themeRDark
net stop UbiloginServer

First, extract the WildFly distribution package and place it in %PROGRAMFILES%, so that the resulting home folder for WildFly becomes %PROGRAMFILES%\wildfly-x.x.x.Final . This folder will be referred to as %WILDFLY_HOME%.
Copy the docs\contrib\scripts\service folder to  %WILDFLY_HOME%\bin folder, so that the resulting path is %WILDFLY_HOME%\bin\service

Code Block
languagetext
themeRDark
set WILDFLY_HOME=%PROGRAMFILES%\wildfly-x.x.x.Final 
cd /D %WILDFLY_HOME%\bin
xcopy /SI ..\docs\contrib\scripts\service service

Due to a bug in the standard WildFly distribution package, edit the service.bat file

Code Block
languagetext
themeRDark
cd /D "%WILDFLY_HOME%\bin\service"
notepad service.bat 

change the following line: 

Code Block
languagetext
themeRDark
set DESCRIPTION="WildFly Application Server"

to: 

Code Block
languagetext
themeRDark
set DESCRIPTION=WildFly Application Server

Having done that, use service.bat to install WildFly as a Windows Service: 

Code Block
languagetext
themeRDark
cd /D "%WILDFLY_HOME%\bin\service"
service.bat install

You can also change the admin host from the default localhost:9990 to something else with the /host parameter. Note that our provided database driver and data source installation scripts require the admin port and assume it's at port 9990, so if you plan to disable or change it, it is best done after the installation is complete.
You can now start the WildFly service by opening the View Local Services functionality and locating WildFly server, right-clicking and selecting Start, or using the net start command:

Code Block
languagetext
themeRDark
titleStarting WildFly
net start wildfly

...

In case you need to uninstall WildFly here are the instructions for it. To uninstall the service, invoke the service.bat with the uninstall parameter. 

Code Block
languagetext
themeRDark
net stop wildfly
cd /D "%WILDFLY_HOME%\bin\service"
service.bat uninstall

Then either delete the WildFly installation folder or backup it to a different location.

Extract the Configuration Template

Create a folder under %PROGRAMFILES% called Ubisecure.

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%"
mkdir Ubisecure

Unzip the cid-deployment-template-x.x.x.zip archive into this newly created directory.

Edit the Setup Template

Ubisecure CustomerID uses the same Ubisecure Directory as Ubisecure SSO. For this reason, Ubisecure CustomerID needs some of the configuration details from the Ubisecure SSO setup. This chapter describes how this information can be added to the Ubisecure CustomerID configuration.
The other properties can be adjusted according to the needs of the specific installation environment.

Create a copy of the Ubisecure CustomerID configuration template:

Create a copy of the Ubisecure CustomerID Windows configuration file win32.config by issuing the following commands: 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\application"
copy config\win32.config 

Copy entries from Ubisecure SSO configuration file to Ubisecure CustomerID configuration file:

Open the Ubisecure CustomerID win32.config file for editing: 

Code Block
languagetext
themeRDark
notepad %PROGRAMFILES%\Ubisecure\customerid\application\win32.config

Open the Ubisecure SSO win32.config file: 

Code Block
languagetext
themeRDark
notepad %PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\win32.config

Copy the following values from Ubisecure SSO win32.config file to the Ubisecure CustomerID win32.config file:

...

From: Ubisecure SSO

...

To: UbisecureCustomerID

...

master.secret

...

master.secret

...

uas.url

...

uas.url

...

ldap.url

...

ldap.url

...

suffix

...

ldap.suffix

Note

Check that there are no unintentional characters at the end of uas.url value. In fact, always check that there are no extra spaces at ends of any of the lines!

You can now close the Ubisecure SSO win32.config file

...

Edit win32.config

Gliffy
namewin32.config
Expand
titleClick here to expand and see rest of the fields
  • ubilogin.home
    This is the path to the location where Ubisecure SSO has been installed. Backslashes must be escaped with a backslash.
    ubilogin.home=C:\\Program Files\\Ubisecure\\ubilogin-sso\\ubilogin
  • eidm.url
    This is the publicly visible URL address of your Ubisecure CustomerID installation. The value must not include a path component and must not end with a '/' character. This address must be accessible for all users of this installation. In an installation with front-end reverse proxy servers this address refers to the first front-end server that is accessible from the public network. In production systems, no port number should be used.
    eidm.url=https://cid.example.com
  • proxy.local.url (if proxy is used)
    In case there is a reverse proxy server acting in front of the Ubisecure CustomerID, proxy.local.url specifies the URL that will be used by the reverse proxy when accessing the Ubisecure CustomerID. In example below, you must configure proxy to listen to eidm.url and forward requests to port 7443 on host1.local
    proxy.local.url=https://host1.local:7443
  • rest.username
    The username used with REST calls.
  • rest.password
    The password used with REST calls.
  • ldap.principal
    The object in LDAP that is used as login object for LDAP connections from Ubisecure CustomerID.
  • ldap.password
    The password used when connecting to LDAP from Ubisecure CustomerID.
  • database.host
    Defines the host where PostgreSQL is installed. This can be an IP address or DNS host name.
  • database.port
    Defines the public TCP port of the PostgreSQL server. Default is 5432.
  • database.name
    Defines the name of the database that Ubisecure CustomerID should use from the PostgreSQL server.
  • database.user
    Defines a user name that Ubisecure CustomerID should use to connect to PostgreSQL.
  • database.password
    Defines the connection password for the Ubisecure CustomerID database user.
  • wildfly.home
    Defines the folder where WildFly is installed.
  • wildfly.http.port
    Defines the TCP port where WildFly listens for unencrypted HTTP connections.
  • wildfly.https.port
    Defines the TCP port where WildFly listens for encrypted HTTP connections.
  • database.driver.path
    Defines the path where scripts can find the PostgreSQL JDBC driver. (If you have followed instructions to the letter, this must be defined to point to %USERPROFILE%\Desktop\customerid.) Note, that in the configuration file, all paths must be escaped by duplicating each "\"-separator, so the actual path %USERPROFILE%\Desktop\customerid would have to be defined as %USERPROFILE\\Desktop
    customerid.
  • database.driver.file
    Defines the file name of the actual JDBC database driver library.
  • keystore.alias
    Defines a custom alias for the server's SSL key pair in the certificate key store.
  • keystore.password
    Defines a password for the key store.
  • mail.host
    The DNS name or IP address of the mail server.
  • mail.port
    The TCP port of the mail server. Usually 25 for unencrypted SMTP, 465 for encrypted SMTP.
  • mail.username
    The user account name used to log on to the mail server. This is an optional property.
  • mail.password
    The password of the user account name used to log on to the mail server. This is configured only in conjunction with mail.username.
  • mail.from
    The email address to insert in the from field of the email messages. You need to escape the "@" character with another "@" character. Example: john.doe@@example.com
  • mail.ssl
    Define if SSL should be used when contacting the mail server. Value is either true or empty.

To run UbisecureCustomerID setup script:
Take the setup configurations in use by issuing the following commands:

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\application\"
setup.cmd

Configuring WildFly

This chapter will configure WildFly to use HTTP and HTTPS ports defined in win32.config.

Creating the Certificate Key Store for SSL

If you have a production-ready SSL certificate, it is easiest to store it in a keystore.pfx file that is saved in %WILDFLY_HOME%\standalone\configuration\keystore.pfx. If you don't have a production ready server certificate, then you can either create a temporary self-signed one using cert.cmd, to get you started with testing, or buy a production certificate from, for example: https://www.globalsign.com/en/ssl/.
The script cert.cmd will generate a self-signed certificate and deposit it in a key store file called keystore.pfx. This file is saved in %WILDFLY_HOME%\standalone\configuration\keystore.pfx

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
cert.cmd

If you are using self-signed certificates (like the one provided by default in the installation of Ubisecure SSO) also with Ubisecure SSO you need to import the public key into the Java certificate store (%JRE_HOME%\lib\security\cacerts file).

Modifying WildFly Service

To change the WildFly service starting type to automatic from the default setting manual run config-wildfly-service.cmd

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
config-wildfly-service.cmd

...

Add LOCAL SERVICE account to WildFly home folder. Modify file permissions for the folder %PROGRAMFILES%\wildfly-x.x.x.Final. Give full control to the LOCAL SERVICE account.
Image Removed

Note

NOTE: For the Ubisecure CustomerID service startup to be successful when the server is restarted, the WildFly service startup needs to be dependent on the data storage services (PostgreSQL and the used LDAP(s)). If the WildFly service starts up before the data storage services then the startup won't succeed.

If PostgreSQL is running on the same server as WildFly, create a startup dependency to ensure PostgreSQL is running before WildFly is started. As administrator, execute the following command:

sc config wildfly depend=postgresql

...

The command config-wildfly.cmd will relocate HTTP and HTTPS ports according to configuration that was specified in win32.config and set up the references to the key store containing the server certificate. It will also set host aliases. Make sure that all phases finish with a success status.

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
config-wildfly.cmd

After these steps you can open a browser to the server's HTTPS port and verify that the connection is over HTTPS and check that the certificate information is what you would expect under the circumstances.

Additional SSL Considerations

Ubisecure CustomerID can be configured to make calls to third-party software during the user registration workflows. Typically data entered by the user is verified against a CRM or other backend service to determine which access rights a user should be automatically given based on an existing service agreement.

If you plan to use back channel connections from Ubisecure CustomerID over SSL encrypted connections, you will have to add each server's public key to the Server JRE's cacerts file: %JRE_HOME%\lib\security\cacerts. Once you have downloaded the server's public key, you can add it to the key store with the following commands:

Code Block
languagetext
themeRDark
cd /D "%JRE_HOME%\lib\security\"
%JAVA_HOME%\bin\keytool -importcert -trustcacerts -alias "<descriptive alias here>" -keystore cacerts -storepass changeit -file C:\path\to\certificate.cer

This command can also be run at a later stage when third-party backend services are added to user registration workflows.

Setting Up customerid.home System Property for WildFly

WildFly requires the customerid.home system property in order to locate relevant configuration files. To update this system property, run register-customerid-home.cmd from tools folder. 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
register-customerid-home.cmd

The command has run successfully if the output shows {"outcome" => "success"}.

Setting Up Audit and Diagnostic logging

Starting from Ubisecure CustomerID 5.0.x, logging is managed centrally via the WildFly Java EE container. The script setup-logging.cmd contacts WildFly management port and then sets up logging configuration to redirect Ubisecure CustomerID specific log entries to separate files. To set up logging, run the following commands in a command prompt: 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
setup-logging.cmd

The command has run successfully if the output shows {"outcome" => "success"} many times.

Setting Up a Mail Session

The mail session is set up by executing the script create-mail-session.cmd

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
create-mail-session.cmd

The command has run successfully if the output shows {"outcome" => "success"} and "reload required" many times.

Note

NOTE: You need to have defined email related configuration in win32.config in order for the above script to work. If you are not going to send emails from Ubisecure CustomerID then this step can be skipped. Emails are sent for user invitations, role requests, notifications of approvals and password management tasks.

Preparing a Database for Ubisecure CustomerID

This chapter will describe how to install a very basic PostgreSQL Server RDBMS installation with a basic database for Ubisecure CustomerID. Many details will vary on a per customer basis, so further tuning is left to the integrator. One significant detail is to manage the collation rules on a per-column basis, therefore it is most probably necessary to make changes to the provided Database Definition Language (DDL) files before they are used to create the database tables for Ubisecure CustomerID. Collations define how text is compared and sorted and whether searches should behave in a case sensitive or insensitive manner.
Following commands are just examples how install a basic PostgreSQL database. You might want to use your own commands. Don't copy and paste the commands in this chapter. Write them by hand to the command prompt to avoid involuntary character replacement.

Obtaining and Installing PostgreSQL

Ubisecure CustomerID requires a PostgreSQL database which is not included in the distribution.

PostgreSQL binaries and instructions on how to use platform specific package managers to download and install PostgreSQL, can be found at the following URL:
https://www.postgresql.org/download/
Having obtained PostgreSQL binaries, run the wizard or relevant binaries to install. The installation process is documented and maintained by your PostgreSQL provider, so please follow their instructions to ensure the best possible configuration. We have tested Ubisecure CustomerID with PostgreSQL 9.4.x.

Creating a Database User

Use the following command to create a new user in the PostgreSQL database.

Code Block
languagetext
themeRDark
cd /d C:\Program Files\PostgreSQL\9.4\bin  (your PostgreSQL installation directory)
psql --username=postgres -c "CREATE USER customerid_user WITH PASSWORD 'replace with your database.password from win32.config'"

When prompted, enter the password given in the installer wizard window during the PostgreSQL installation process.

Creating the Database

Code Block
languagetext
themeRDark
psql --username=postgres -c "CREATE DATABASE customeriddb WITH OWNER = customerid_user ENCODING = 'UTF8' TABLESPACE = pg_default LC_COLLATE = 'Finnish_Finland.1252' LC_CTYPE = 'Finnish_Finland.1252' CONNECTION LIMIT = -1;" 
psql --username=postgres -c "GRANT CONNECT, TEMPORARY ON DATABASE customeriddb TO public;" 
psql --username=postgres -c "GRANT ALL ON DATABASE customeriddb TO customerid_user;"

Modifying the DDL

The main modifications to the DDL involves setting collations to specific columns. There could be some information that should be interpreted as identical regardless of letter case but on the other hand there could also be some attributes where letter case is significant in uniqueness. In order to make it easier to set collations to columns it is convenient to create named collations that can be referenced by name instead. 

Code Block
languagetext
themeRDark
psql --username=postgres --dbname=customeriddb -c "CREATE COLLATION custom_collation (locale = 'Finnish_Finland');"

Now that there's a named collation, it can be attached to column definitions by modifying DDL like in example below:
Original: 

Code Block
languagetext
themeRDark
CREATE TABLE CIDTUSERS (
CIDCUSERID CHAR(36) NOT NULL CONSTRAINT CIDPK_CIDTUSERS PRIMARY KEY,
CIDCREPOUSER VARCHAR(1024),
CIDCORGANIZATIONID CHAR(36) CONSTRAINT CIDFK_CIDTUSERS_CIDCORGANIZATIONID REFERENCES CIDTORGANIZATIONS (CIDCORGANIZATIONID),
CIDCSTATUS INTEGER NOT NULL DEFAULT 4,
CIDCCN VARCHAR(1024),
CIDCEMAIL VARCHAR(1024),
CIDCMOBILE VARCHAR(1024),
CIDCLOCALE CHAR(5),
CIDCFIRSTNAME VARCHAR(1024),
CIDCSURNAME VARCHAR(1024),
CIDCLOGIN VARCHAR(1024),
CIDCSSN VARCHAR(1024),
CIDCCREATED TIMESTAMP NOT NULL,
CIDCLASTMODIFIED TIMESTAMP NOT NULL);

...

Code Block
languagetext
themeRDark
CREATE TABLE CIDTUSERS (
CIDCUSERID CHAR(36) NOT NULL CONSTRAINT CIDPK_CIDTUSERS PRIMARY KEY,
CIDCREPOUSER VARCHAR(1024),
CIDCORGANIZATIONID CHAR(36) CONSTRAINT CIDFK_CIDTUSERS_CIDCORGANIZATIONID REFERENCES CIDTORGANIZATIONS (CIDCORGANIZATIONID),
CIDCSTATUS INTEGER NOT NULL DEFAULT 4,
CIDCCN VARCHAR(1024) COLLATE custom_collation,
CIDCEMAIL VARCHAR(1024) COLLATE custom_collation,
CIDCMOBILE VARCHAR(1024),
CIDCLOCALE CHAR(5) COLLATE custom_collation,
CIDCFIRSTNAME VARCHAR(1024) COLLATE custom_collation,
CIDCSURNAME VARCHAR(1024) COLLATE custom_collation,
CIDCLOGIN VARCHAR(1024) COLLATE custom_collation,
CIDCSSN VARCHAR(1024),
CIDCCREATED TIMESTAMP NOT NULL,
CIDCLASTMODIFIED TIMESTAMP NOT NULL);

Applying the CustomerID DDL to PostgreSQL

Code Block
languagetext
themeRDark
psql --dbname=customeriddb --username=customerid_user -f "%PROGRAMFILES%\Ubisecure\customerid\sql\cid_create.sql"

When prompted, enter the password from the database.password value of the win32.config file.

If you notice something wrong with the database at this point, it is possible to drop the tables using the script cid-drop.sql. After this, the DDL can be modified and imported again. Note that all inserted data in the database will be lost when the tables are dropped.

Creating the JDBC Data Source to WildFly

Ubisecure CustomerID uses a JDBC data source to access the database, thus one needs to be created to WildFly before the Ubisecure CustomerID application can be deployed. There is a script in the distribution package's tools folder for this purpose: create-datasource.cmd. Note that the win32.config file must have been configured and setup.cmd must have been run successfully and WildFly must be running before the create-datasource.cmd script can be run successfully. 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
create-datasource.cmd

...

You need to define a directory service in Ubisecure SSO Management that is used for accessing the Ubisecure CustomerID's SQL database. To create the service open Ubisecure SSO Management.

Start Ubisecure SSO

Code Block
languagetext
themeRDark
net start UbiloginServer

...

  • Title:  CustomerID SQL
  • Directory type:  SQL
    Image Removed

...

Credentials:
Use database.password value from customerid\application\win32.config

Note

NOTE: If there are escape characters ("\") in the database.password value, remove them before copying the value to the Credentials field.

Configuration: 
Enter the following text in the Configuration String text area: 
validationQuery=
  SELECT 1

...

Image Removed

...

Restart Ubisecure SSO 

Code Block
languagetext
themeRDark
net stop UbiloginServer
net start UbiloginServer

Creating Web Agents for Ubisecure CustomerID

Ubisecure CustomerID needs two web agents. The first one is used to provide login functionality to the Ubisecure CustomerID user interfaces and it also provides the LDAP user account that Ubisecure CustomerID uses when accessing Ubisecure Directory. The second web agent is used when performing verifications during registrations. Ubisecure CustomerID installation package contains LDIF import files that need to be imported to Ubisecure Directory using the import functionality of Ubisecure SSO.

  • Importing the web agent:

Import the LDIF files that create the web agent by issuing the following commands: 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\application\ldap"
import.cmd customerid.ldif
import.cmd customerid-secrets.ldif
import.cmd customerid-adlds.ldif

...

Ubisecure CustomerID needs an access to the main user LDAP directory and a directory service is needed to establish this connection. To create the service open Ubisecure SSO Management.

...

  • Title: 
    CustomerID Directory
  • Directory type: 
    Ubilogin Directory
     or  Active Directory
    Select  Active Directory  only when external AD is used for CustomerID user storage. Typically Ubilogin Directory is used.
    Image Removed

...

Append one of the following two configurations to the existing text in the "Configuration String" field, depending if UbiloginDirectory or Active Directory is used for CustomerID user data storage: Typically Ubilogin Directory is used.
Ubilogin Directory: 

Code Block
languagetext
themeRDark
policy.password.encoding={SSHA}
directory=ldap:///{LDAP root}
policy.password.protocol=UbiloginDirectory
password-name=password.2

Active Directory: 

Code Block
languagetext
themeRDark
java.naming.ldap.attributes.binary=objectGUID
policy.password.protocol=ActiveDirectoryDs
password-name=password.2

For detailed instructions concerning these settings see Ubisecure SSO Installation and Upgrade document. You can check the value of {LDAP root} for example from the jndi.properties file situated in the %PROGRAMFILES%\Ubisecure\customerid\application\custom folder. The value is the LDAP root part of the java.naming.provider.url property. Example: 

Code Block
languagetext
themeRDark
java.naming.provider.url = ldap://localhost:389/cn=Ubilogin,dc=test

CustomerID Directory SettingsImage Removed

For clustered Ubisecure SSO you will need the following following settings in the CustomerID Directory settings in the Ubisecure SSO Home → Services tab → CustomerID Directory → Configuration String

Code Block
languagetext
themeRDark
com.ubisecure.util.ldap.server.list=<ldap://server1:port/> <ldap://server2:port/>
com.ubisecure.util.ldap.failover.type=single-master (default is multi-master)
com.sun.jndi.ldap.connect.timeout=15000 (in milliseconds)
com.sun.jndi.ldap.read.timeout=15000 (in milliseconds)
com.ubisecure.util.ldap.maxage=120000 (in milliseconds)
com.ubisecure.util.ldap.auth.pool.max=8

...

Restart Ubisecure SSO from command line

Code Block
languagetext
themeRDark
net stop UbiloginServer
net start UbiloginServer

Ubisecure CustomerID SSO Adapter Installation

See ww- CustomerID SSO Adapter Installation in Windows

...

The authentication method configuration is done using Ubisecure SSO Management or the LDIF import files provided by Ubisecure SSO installation.

Create the Authentication Methods

You need to create the required authentication methods according to the general guidelines concerning creating authentication methods into Ubisecure SSO. Here are some hints concerning what could be relevant for specific authentication methods:

...

  • Set title:
    CustomerID Password
  • Name:
    password.2
  • Select method type:
    SPI Password
  • Set directory to:
    CustomerID Directory
    Image Removed
  • By default user logs in using the login attribute (which is uid in Ubisecure Directory and sAMAccountName in Active Directory). If you want the user to login using email address, you must add directory.account.login=mail to the configuration string. You must also add general.login.attribute=mail to eidm2.properties. Create eidm2.properties text file under %PROGRAMFILES%\Ubisecure\customerid\application\custom
    Image Removed
  • Set the optional policy.password.expiring configuration string to show a warning to users during login of a pending password expiry. The value is number of minutes. 10080 is one week. This number should be increased accordingly if users rarely use the system.
    Image Removed
  • Select Enabled
  • Press Update

...

Image Removed

...

You need to define the smsUrl configuration string. It should contain the URL of the SMS server.

...

Image Removed

...

If Active Directory is used as the main user repository then you need to define the userCredentialsTableDN configuration string. It defines the name of the OTP table object in Ubisecure Directory. OTP Printout authentication method information is stored in Ubisecure Directory for all Active Directory users who use the OTP Printout method and that information will be stored under the OTP table. Typically Active Directory is not used as the main user repository for Ubisecure CustomerID.

...

Image Removed

...

Figure 6, OTP Printout Method, configuration string parameters will be shown after next part

...

For sending the OTP list from within the Ubisecure SSO Management application the mailSessionJNDIName configuration string must be set. In most cases, this field can be left blank as it is not required for self-service list management using Ubisecure CustomerID.

...

Image Removed

...

  • TUPAS methods
    • This is only required when using Finnish Bank Authentication Services
    • When creating the TUPAS methods follow the separate TUPAS methods related documentation.
    • Automatic creation for TUPAS test methods can be done with %PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\import.cmd ..\methods\methods-tupas.ldif command

Remember to enable all of the created authentication methods. This can be done by selecting the X at the top of the checkbox column to tick all boxes, and then press Update.
For more information concerning authentication method configuration check the Ubisecure SSO authentication method documentation.

...

Image Removed

...

Figure 8, All authentication methods are ticked as enabled

...

The next step in Ubisecure CustomerID installation is to create a site specific configuration for Ubisecure CustomerID. This can be done by editing the custom/eidm2.properties and other Ubisecure CustomerID configuration files. For more information about the configuration options, refer to CustomerID Configuration. If you will be using Active Directory as the main user repository for Ubisecure CustomerID then you can find AD specific configuration guidance from CustomerID AD Integration Configuration. After you have finished creating a site specific setup, return to this document and go through the rest of the chapters. 

Examples of the types of configurations required at the step include:

  • defining user registration workflows
  • defining organization types and roles
  • defining what strong authentication methods are available
  • defining policies for login names

Generally it is recommended to use a very basic eidm2.properties configuration first, ensure the system is fully configured and running and then modify the settings again later to match the use case requirements.

Execute the following commands to create and edit the eidm2.properties file:

Code Block
themeRDark
titleEditing eidm2.properties
cd /d %PROGRAMFILES%\Ubisecure\customerid\application\custom
notepad eidm2.properties

Typical entries include:

Code Block
themeRDark
titleCreating basic eidm2.properties
# use email address as the username when logging in
# this requires that directory.account.login=mail is added to password.2 authentication method settings
# without this setting, the default uid is used as the username when logging in
general.login.attribute = mail

# where to redirect the user when an error occurs or user presses exit - generally home page of the target service
general.default.returnUrl = https://www.example.com

# where to redirect the user after logout has been performed
general.default.logoutReturnUrl = https://www.example.com
Note

NOTE: This step is very important as some configuration options cannot be changed after this step.

Deploying Ubisecure CustomerID

Ubisecure CustomerID uses WildFly as a J2EE Container. This chapter describes how to download Identity Provider metadata from Ubisecure SSO, generate Service Provider metadata, and deploy the cid-ear-x.x.x.ear and cid-worker-ear-x.x.x.ear enterprise archives (EARs).

To download Identity Provider metadata and generate Service Provider metadata:

  1. Download IDP metadata by running the following commands:

    Code Block
    languagetext
    themeRDark
    cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools\"
    get-metadata.cmd

    This command will show download statistics if successful.

  2. Initialize Ubisecure CustomerID SPs by running the following commands: 

    Code Block
    languagetext
    themeRDark
    cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools\"
    init-eidm-sp.cmd

    This command will not display any output if successful.

  3. Initialize authentication provider by running the following commands: 

    Code Block
    languagetext
    themeRDark
    cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools\"
    init-eidm-ap.cmd

    This command will not display any output if successful.

Deploy the Ubisecure CustomerID applications to WildFly using the deploy-ear.cmd script. When invoking the script, you must supply the path to the ear file, like in the example below: 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools\"
deploy-ear.cmd %USERPROFILE%\Desktop\customerid\cid-ear-x.x.x.ear
deploy-ear.cmd %USERPROFILE%\Desktop\customerid\cid-worker-ear-x.x.x.ear

...

To initialize Ubisecure CustomerID with initialization scripts:

Initialize Ubisecure CustomerID internal database and repository (i.e., the part of Ubisecure Directory needed by Ubisecure CustomerID) by running the following commands

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools\"
init-customerid-data-storages.cmd

Successful execution will show: <init><initializeDatabase/></init>

...

Download SP metadata for authentication provider by running the following commands: 

Code Block
languagetext
themeRDark
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools\"
get-metadata-for-ap.cmd

This command will show download statistics if successful.

Restarting Ubisecure Software

Ubisecure SSO & CustomerID restart is required to take into use all the new features initialized in the previous chapter.

To restart Ubisecure SSO:

Restart Ubisecure SSO by running the following commands: 

Code Block
languagetext
themeRDark
net stop UbiloginServer
net start UbiloginServer

Restart Ubisecure CustomerID by running the following commands: 

Code Block
languagetext
themeRDark
net stop wildfly
net start wildfly
Note

NOTE: Stopping the Ubisecure CustomerID service using the mentioned command may not succeed in Windows if your firewall settings block access to WildFly management.

...

Perform once for the whole Ubisecure CustomerID cluster:

  1. Back up Ubisecure Directory. See instructions from Backup and restore - Ubisecure Directory.

Perform on each Ubisecure CustomerID node:

  1. Unpack the distribution package. See instructions from Distribution package unpacking on Windows - CustomerID.
  2. Check Java. See instructions from Java check on Windows - CustomerID.

Perform once for the whole Ubisecure CustomerID cluster:

  1. Prepare PostgreSQL. See instructions from PostgreSQL preparation on Windows - CustomerID.

Perform on each Ubisecure CustomerID node:

  1. Install WildFly. See instructions from Two node WildFly installation on Windows - CustomerID.

Perform once on CustomerID Master Node

  1. Extract the deployment template. See instructions from Deployment template extraction on Windows - CustomerID.
  2. Edit the setup template and run setup. See instructions from Setup template on Windows - CustomerID.
  3. Prepare WildFly for domain configuration. See instructions from Two node WildFly preparation on Windows - CustomerID.
  4. Configure WildFly on CustomerID Master Node. See instructions from Two node master WildFly configuration on Windows - CustomerID
  5. Configure the singleton subsystem. See instuctions from Two node singleton subsystem configuration on Windows - CustomerID
  6. Configure authentication protocol. See instructions from Application identity generation and IDP metadata download on Windows - CustomerID.

Perform on CustomerID Slave Node:

  1. Transfer the installation folder from master node. See instructions from Two node installation folder transfer on Windows - CustomerID.
  2. Prepare WildFly for domain configuration. See instructions from Two node WildFly preparation on Windows - CustomerID.
  3. Configure WildFly on CustomerID Slave Node. See instructions from Two node slave WildFly configuration on Windows - CustomerID

Perform once on CustomerID Master Node

  1. Create JDBC data source to WildFly. See instructions from Two node JDBC data source creation on Windows - CustomerID
  2. Create a Mail Session configuration for WildFly. See instructions from Two node mail session creation on Windows - CustomerID
  3. Configure logging for CustomerID. See instructions from Two node logging configuration on Windows - CustomerID
  4. Register "customerid.home" system property to WildFly. See instructions from WildFly system property registration on Windows - CustomerID

Perform once for the whole Ubisecure CustomerID cluster:

  1. Create a directory service for Ubisecure CustomerID SQL in Ubisecure SSO Management. See instructions from SQL directory service creation on Windows - CustomerID.
  2. Create web agents for Ubisecure CustomerID. See instructions from Web agents creation on Windows - CustomerID.
  3. Create a directory service for Ubisecure CustomerID LDAP in Ubisecure SSO Management. See instructions from LDAP directory service creation on Windows - CustomerID.

Perform on each Ubisecure SSO node:

  1. Install PostgreSQL JDBC driver to SSO node(s). See instructions from PostgreSQL JDBC driver installation to SSO on Windows - CustomerID.
  2. Install Ubisecure CustomerID SSO Adapter to SSO node(s). See instructions from SSO Adapter installation on Windows - CustomerID.

Perform once for the whole Ubisecure CustomerID cluster:

  1. Add authentication method configurations in Ubisecure SSO Management. See instructions from Authentication method configuration on Windows - CustomerID.

Perform on each Ubisecure CustomerID node:

  1. Create a site specific configuration for Ubisecure CustomerID. See instructions from Site specific configuration on Windows - CustomerID.

Perform on the CustomerID Master Node

  1. Deploy the Ubisecure CustomerID applications. See instructions from Two node deployment to WildFly on Windows - CustomerID.
  2. Configure HTTPS, See Two node SSL configuration on Windows - CustomerID

Perform on the CustomerID Master node:

  1. Initialize data storages. See instructions from Data storages initialization on Windows - CustomerID.

Perform on each Ubisecure SSO node:

  1. Restart Ubisecure SSO. See instructions from Installation related SSO restart on Windows - CustomerID.

Perform on each Ubisecure CustomerID node:

  1. Restart Ubisecure CustomerID on Master node first, then slave node. See instructions from Restart on Windows - CustomerID.

Perform once for the whole Ubisecure CustomerID cluster:

  1. Import example admin user. See instructions from Example user data import on Windows - CustomerID.

You can now login using URL: https://<eidm.url>/eidm2/wf/admin

eidm.url value can be found from : "the file %PROGRAMFILES%\Ubisecure\customerid\application\win32.config"