Versions Compared

Old Version 10

changes.mady.by.user Elmeri Kokkonen

Saved on

compared with

New Version Current

changes.mady.by.user Andrei Filippov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinetrue
typelist
printablefalse

Make sure you have working SSO install before applying these configurations

...

Note

This example is done with self-signed certificate. It is always better to use publicly trusted certificate here.

Become root:

Code Block
sudo su -

Stop any IDS applications that is running in all instances.:

Code Block
systemctl stop wildfly.service

systemctl stop ubilogin-server.service
systemctl stop ubilogin-directory.service

Create new self-signed certificate chain:

Code Block
# Create folder
mkdir -p a temporary directory for certificate creation (name does not matter)
mkdir ~/ssl_cert
cd ~/ssl_cert

# Create certificate authority
openssl req -x509 \
            -sha512 \
            -days 3650 \
            -nodes \
            -newkey rsa:4096 \
            -subj "/CN=localhost/C=FI/L=Espoo" \
            -keyout cakey.pem -out cacert.pem

# Create server private key
openssl genrsa -out serverkey.pem 4096

# Generate certificate signging request
cat << EOF > servercsr.cnf
[ req ]
default_bits = 4096
prompt = no
default_md = sha512
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = FI
ST = Uusimaa
L = Espoo
O = Ubisecure Oy
OU = Engineering
CN = localhost

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
DNS.2 = $(hostname -s)
DNS.3 = $(hostname -f)

EOF

# Generate certificate signing request with previously created private key
openssl req \
        -new \
        -key serverkey.pem \
        -out servercsr.pem \
        -config servercsr.cnf

# Generate external certificate configuration
cat << EOF > cert.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = $(hostname -s)
DNS.3 = $(hostname -f)

EOF

# Generate SSL certificate With self signed CA
openssl x509 -req \
    -in servercsr.pem \
    -CA cacert.pem \
    -CAkey cakey.pem \
    -CAcreateserial \
    -out servercert.pem \
    -days 3650 \
    -sha512 \
    -extfile \
    cert.conf

# View generated cert
openssl x509 -noout -in servercert.pem -text

Check keystore before importthat you do not have the certificate imported to cacerts:

Code Block
# View all certificates
keytool -list \
        -storepass changeit \
        -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx

##### Result
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Aug 28, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): FF:BC:BE:57:69:2C:F0:35:06:8D:2D:F8:F3:42:D7:02:5F:1B:0D:47:29:1B:34:4D:FF:B5:DB:0F:1C:3B:4A:0A

...

cacerts \
          | grep -i openldap

Import the newly generated certificate to SSO tomcatTomcat:

Code Block
# Export serverkey
keytool -importimportcert \
        -trustcacerts \
        -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfxalias openldap-trusted \
        -storepass changeitcacerts \
        -noprompt \
        -alias 1-ubilogin-directorystorepass changeit \
        -file servercert.pem

Check keystore cacerts after import (note, make sure that the trusted self-signed certificate is topmost position).:

Code Block
# View all certificates
keytool -list \
        -storepass changeit \
        -keystore /usr/local/ubisecure/ubilogin-sso/ubilogin/custom/tomcat/keystore.pfx

##### Result
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

1-ubilogin-directory, Aug 28, 2023, trustedCertEntry, 
Certificate fingerprint (SHA-256): B9:08:F3:95:D7:4D:FD:ED:F7:E2:FC:8F:DE:81:B5:74:EE:2B:5F:2F:3C:96:9B:81:B8:06:3C:1E:3E:F0:89:0C
tomcat, Aug 28, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): FF:BC:BE:57:69:2C:F0:35:06:8D:2D:F8:F3:42:D7:02:5F:1B:0D:47:29:1B:34:4D:FF:B5:DB:0F:1C:3B:4A:0Acacerts \
          | grep -i openldap

Result after the import:

Code Block
openldap-trusted, Aug 29, 2023, trustedCertEntry,

Change ownership for generated files:

Code Block
# Copy generated certificate and serverkey
cp cacert.pem servercert.pem serverkey.pem /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/

# Fix rights
chmod 600 cd /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cacert.pem

# Fix rights
chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cacert.pem serverkey.pem chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/servercert.pem

# Fix ownership
chown -R ubilogin. /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap.

Change unix.config so that it will use ldaps:// instead of ldap:// as a connection.:

Code Block
# Make a backup of existing unix.config
cp /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config \
   /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config.$(date +%Y%m%d%H%M%S)

# Apply change
sed -i 's/ldap.url=.*/ldap.url=ldaps:\/\/localhost:636/g' \
  /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config

Result should be something like this:

Code Block
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/
diff -iw unix.config.20230829191717 unix.config
23c23
< ldap.url=ldap\://localhost\:389
---
> ldap.url=ldaps://localhost:636

Once done, run sso SSO setup.sh again.:

Code Block
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./setup.sh

Once done, edit slapd.conf before updating ldap LDAP configuration:

Note

If any errors occurs, one can always run setup.sh again to reverse below changes to original defaults.

Code Block
sed -i 's/#TLSCertificateFile/TLSCertificateFile/' \
  /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf
sed -i 's/#TLSCertificateKeyFile/TLSCertificateKeyFile/' \
  /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf
sed -i 's/#TLSCACertificateFile/TLSCACertificateFile/' \
  /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf

Reconfigure ldapLDAP:

Code Block
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap# Check that JAVA_HOME environment variable is set
echo $JAVA_HOME
# Set the right value if needed (depends on your JDK installation)
export JAVA_HOME=/usr/lib/jvm/temurin-11-jdk
#
Make sure you have correct JDK
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap
./install.sh

And finally update sso configurationsUpdate SSO configurations:

Code Block
# Update configurations
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat
./remove.sh
./install.sh

#

Restart

...

services

...

:

Code Block
systemctl start ubilogin-directory.service
systemctl start ubilogin-server.service
systemctl start wildfly.service