...
...
...
...
Creating the Certificate Key Store for SSL
If you have a production-ready SSL certificate, it is easiest to store it in a keystore.pfx
file that is saved in %WILDFLY_HOME%\standalone\configuration\keystore.pfx
. If you don't have a production ready server certificate, then you can either create a temporary self-signed one using cert.cmd
, to get you started with testing, or buy a production certificate from, for example: https://www.globalsign.com/en/ssl/.
The script cert.cmd
will generate a self-signed certificate and deposit it in a key store file called keystore.pfx
. This file is saved in %WILDFLY_HOME%\standalone\configuration\keystore.pfx
.
Code Block | ||||
---|---|---|---|---|
| ||||
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools" cert.cmd |
...
If you are using self-signed certificates (like the one provided by default in the installation of Ubisecure SSO) also with Ubisecure SSO you need to import the public key into the Java certificate store (%JRE_HOME%\lib\security\cacerts
file).
Modifying WildFly Service
To change the WildFly service starting type to automatic from the default setting manual run config-wildfly-service.cmd
.
Code Block | ||||
---|---|---|---|---|
| ||||
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools" config-wildfly-service.cmd |
Succesful execution will show [SC] ChangeServiceConfig SUCCESS
Configure WildFly File Permissions
Add LOCAL SERVICE account to WildFly home folder. Modify file permissions for the folder %PROGRAMFILES%\wildfly-x.x.x.Final
. Give full control to the LOCAL SERVICE account.
This can be done via the command line
Code Block | ||
---|---|---|
| ||
icacls "%PROGRAMFILES%\wildfly-x.x.x.Final" /grant "LOCAL SERVICE:(OI)(CI)(F)" |
Successful execution will show Successfully processed 1 files; Failed processing 0 files
And verified in the GUI:
Note |
---|
NOTE: For the Ubisecure CustomerID service startup to be successful when the server is restarted, the WildFly service startup needs to be dependent on the data storage services (PostgreSQL and the used LDAP(s)). If the WildFly service starts up before the data storage services then the startup won't succeed. If PostgreSQL is running on the same server as WildFly, create a startup dependency to ensure PostgreSQL is running before WildFly is started. As the Administrator user, execute the following command:
|
Note |
---|
NOTE: Execute the following command as an Administrator if there is a need to remove the depency for any reason (note the space between = and "" symbols):
|
Applying WildFly Configuration Changes
The command config-wildfly.cmd
will relocate HTTP and HTTPS ports according to configuration that was specified in win32.config
and set up the references to the key store containing the server certificate. It will also set host aliases. Make sure that all phases finish with a success status.
Code Block | ||||
---|---|---|---|---|
| ||||
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools" config-wildfly.cmd |
Successful execution will return many output lines with each set of lines containing the response "outcome" => "success".
Verifying WildFly SSL Configuration
Open a browser to the server's HTTPS port and verify that the connection is over HTTPS and check that the certificate information is what you would expect under the circumstances. At this point in the installation, no applications have been deployed, however a 404 Page not found
error message should be delivered over a TLS connection (HTTPS).
...
In production systems, a proxy must be used between the CustomerID application server and the user. SSL certificate configuration at the proxy is done according to the proxy vendor product instructions.
Setting Up customerid.home System Property for WildFly
See instructions from CustomerID WildFly System Property Registration On WindowsRegister the customerid.home environment variable to Wildfly.
Run the script register-customerid-home.cmd
in order to set the system property customerid.home
on WildFly.
Code Block | ||
---|---|---|
| ||
cd /D "%PROGRAMFILES%\ubisecure\customerid\tools"
register-customerid-home.cmd |
The command has run successfully if the output shows {"outcome" => "success"}
.
Setting Up Audit and Diagnostic logging
Starting from Ubisecure CustomerID 5.0.x, logging is managed centrally via the WildFly Java EE container. The script setup-logging.cmd
contacts WildFly management port and then sets up logging configuration to redirect Ubisecure CustomerID specific log entries to separate files. To set up logging, run the following commands in a command prompt:
Code Block | ||||
---|---|---|---|---|
| ||||
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools" setup-logging.cmd |
The command has run successfully if the output shows {"outcome" => "success"}
many times.
Setting Up a Mail Session
The mail session is set up by executing the script create-mail-session.cmd
Code Block | ||||
---|---|---|---|---|
| ||||
cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools" create-mail-session.cmd |
...