...
| Note |
|---|
This example is done with self-signed certificate. It is always better to use publicly trusted certificate here. |
Become root:
| Code Block |
|---|
sudo su - |
Stop any IDS applications that is running in all instances.:
| Code Block |
|---|
systemctl stop wildfly.service
systemctl stop ubilogin-server.service
systemctl stop ubilogin-directory.service |
Create new self-signed certificate chain:
| Code Block |
|---|
# Create folder mkdir -p a temporary directory for certificate creation (name does not matter) mkdir ~/ssl_cert cd ~/ssl_cert # Create certificate authority openssl req -x509 \ -sha512 \ -days 3650 \ -nodes \ -newkey rsa:4096 \ -subj "/CN=localhost/C=FI/L=Espoo" \ -keyout cakey.pem -out cacert.pem # Create server private key openssl genrsa -out serverkey.pem 4096 # Generate certificate signging request cat << EOF > servercsr.cnf [ req ] default_bits = 4096 prompt = no default_md = sha512 req_extensions = req_ext distinguished_name = dn [ dn ] C = FI ST = Uusimaa L = Espoo O = Ubisecure Oy OU = Engineering CN = localhost [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate certificate signing request with previously created private key openssl req \ -new \ -key serverkey.pem \ -out servercsr.pem \ -config servercsr.cnf # Generate external certificate configuration cat << EOF > cert.conf authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = $(hostname -s) DNS.3 = $(hostname -f) EOF # Generate SSL certificate With self signed CA openssl x509 -req \ -in servercsr.pem \ -CA cacert.pem \ -CAkey cakey.pem \ -CAcreateserial \ -out servercert.pem \ -days 3650 \ -sha512 \ -extfile \ cert.conf # View generated cert openssl x509 -noout -in servercert.pem -text |
Check cacerts before import (make sure that you do not have certificate already)the certificate imported to cacerts:
| Code Block |
|---|
# View all certificates
keytool -list \
-storepass changeit \
-cacerts \
| grep -i openldap |
Export Import the newly generated certificate to SSO tomcatTomcat:
| Code Block |
|---|
# Export serverkey keytool -importcert \ -trustcacerts \ -alias openldap-trusted \ -cacerts \ -noprompt \ -storepass changeit \ -file ~/ssl/servercert.pem |
Check cacerts after import.:
| Code Block |
|---|
# View all certificates
keytool -list \
-storepass changeit \
-cacerts \
| grep -i openldap |
Result after the import:
| Code Block |
|---|
openldap-trusted, Aug 29, 2023, trustedCertEntry, |
Change ownership for generated files:
| Code Block |
|---|
# Copy generated certificate and serverkey cd ~/ssl cp cacert.pem servercert.pem serverkey.pem /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/ # Fix rights chmod 600cd /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cacert.pem # Fix rights chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/ cacert.pem serverkey.pem chmod 600 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/servercert.pem # Fix ownership chown -R ubilogin. /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap. |
Change unix.config so that it will use ldaps:// instead of ldap:// as a connection.:
| Code Block |
|---|
# Make a backup of existing unix.config cp /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config \ /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config.$(date +%Y%m%d%H%M%S) # Apply change sed -i 's/ldap.url=.*/ldap.url=ldaps:\/\/localhost:636/g' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/unix.config |
Result should be something like this:
| Code Block |
|---|
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/
diff -iw unix.config.20230829191717 unix.config
23c23
< ldap.url=ldap\://localhost\:389
---
> ldap.url=ldaps://localhost:636 |
Once done, run sso SSO setup.sh again.:
| Code Block |
|---|
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./setup.sh |
Once done, edit slapd.conf before updating ldap LDAP configuration:
| Note |
|---|
If any errors occurs, one can always run |
| Code Block |
|---|
sed -i 's/#TLSCertificateFile/TLSCertificateFile/' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf sed -i 's/#TLSCertificateKeyFile/TLSCertificateKeyFile/' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf sed -i 's/#TLSCACertificateFile/TLSCACertificateFile/' \ /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/slapd.conf |
Reconfigure ldapLDAP:
| Code Block |
|---|
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap# Check that JAVA_HOME environment variable is set echo $JAVA_HOME # Set the right value if needed (depends on your JDK installation) export JAVA_HOME=/usr/lib/jvm/temurin-11-jdk # Make sure you have correct JDK cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap ./install.sh |
And finally update sso configurationsUpdate SSO configurations:
| Code Block |
|---|
# Update configurations
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat
./remove.sh
./install.sh |
Finally restart Restart services:
| Code Block |
|---|
systemctl start ubilogin-directory.service
systemctl start ubilogin-server.service
systemctl start wildfly.service |