Install node 2 - SSO

Stop Ubisecure SSO on node 1

Shut down Node 1 when installing Node 2.

On Node 1:

Listing 1.
/etc/init.d/ubilogin-server stop
/etc/init.d/ubilogin-directory stop

LDAP configuration

Add the two rows in Listing 3 to the file /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf on node 1. Modify hostnames to correct ones.

Listing 2.
vi /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf


These are addresses where Ubisecure Directory is running on different nodes:

Listing 3.
serverID 1 ldap://<node1 hostname>:389
serverID 2 ldap://<node2 hostname>:389

Add the following lines to file on node 1 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cn=Ubilogin,dc=sso,dc=example,dc=com .conf :

Ensure that all quotation marks are standard quotation marks.

Listing 4.
syncrepl rid=001
 provider=ldap://<node1 hostname>:389
 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com"
 bindmethod=simple
 binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com"
 credentials="secret"
 type=refreshAndPersist
 timeout=1
 retry="1 10 60 10 600 +" 

syncrepl rid=002
 provider=ldap://<node2 hostname>:389
 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com"
 bindmethod=simple
 binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com"
 credentials="secret"
 type=refreshAndPersist
 timeout=1
 retry="1 10 60 10 600 +"

mirrormode on
#
overlay syncprov

There are configurations for both nodes. rid=001 is node 1 and rid=002 is node 2.

ProviderLDAP address must match Listing 3

Searchbase

Searchbase must match the suffix defined in unix.config
Binddn

Enter suffix from from unix.config

uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com

CredentialsEnter openldap.root.password from unix.config

Modify Ubisecure Directory startup script (settings.sh) on node 1

Listing 5
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh 

Add Node 1 local hostname address ldap://node1host:389 to settings.sh

Listing 6.
ADD the following new line below the line reading "esac"
LDAP_LISTEN_URLS="ldap://node1host:389 $LDAP_LISTEN_URLS"

On Node 2, create ubisecure folder and copy the ubilogin-sso folder from node 1 to node 2.

Listing 7.
mkdir -p /usr/local/ubisecure 
cd /usr/local/ubisecure/
scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso .

On Node 2, run the following command to set up the system user ubilogin. The newly-created user will be used for running the Ubisecure SSO and Ubisecure Directory.

Listing 8.
./ubilogin/config/unix/setupuser.sh

On Node 2, modify Ubisecure Directory startup script settings.sh file in /usr/local/ubisecure/ubilogin-sso/ubilogin/config/

Listing 9.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/config/ 

Add Node 2 hostname to ldap://node2host:389 to settings.sh

Listing 10.
Modify the line below the line reading "esac"
LDAP_LISTEN_URLS="ldap://node2host:389 $LDAP_LISTEN_URLS"

Install OpenLDAP service on node 2:

cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./ldap/openldap/install.sh

When the OpenLDAP install script prompts for LDAP Password, type secret and press return.

install.sh executes the following commands:
/etc/init.d/ubilogin-directory start
./import.sh ../cnroot.ldif
./import.sh ../uas.ldif
./import.sh ../secrets.ldif
./import.sh ../system-password.ldif
./import.sh groups.ldif
/etc/init.d/ubilogin-directory stop

Because install.sh regenerates a number of configuration files, two files must be copied again from Node 1 at this point:

scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/cn*
 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/

scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/slapd.conf
 /usr/local/ubisecure/ubilogin-sso/openldap/etc/openldap/

Check that the ownership and access rights of these two files match Node 1.

Delete the OpenLDAP database from node 2. It will reappear through replication later.

Listing 11.
cd /usr/local/ubisecure/ubilogin-sso/openldap/var/openldap-bdb/cn=Ubilogin,dc=sso,dc=example,dc=com
rm -f *

Install Tomcat to node 2:

Listing 12.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./config/tomcat/install.sh

Start the Ubisecure SSO and Ubisecure Directory processes first on node 1 and the on node 2 by using the following commands:

On Node 1:

Listing 13.
/etc/init.d/ubilogin-directory start
/etc/init.d/ubilogin-server start

On Node 2:

Listing 14
/etc/init.d/ubilogin-directory start
/etc/init.d/ubilogin-server start

Verify LDAP replication

List OpenLDAP folder on node 2 and verify that database files from node 1 have been copied automatically to node 2:

Listing 15.
ls /usr/local/ubisecure/ubilogin-sso/openldap/var/openldap-bdb/cn=Ubilogin,dc=sso,dc=example,dc=com

Configuring LDAP failover

Each Ubisecure SSO can be configured to connect to the LDAP directory on the other node in case the local directory cannot be reached. This is recommended if SSO and the directory are run on separate servers. If SSO and directory are run on the same server (default configuration), LDAP failover is not always desired. In this case this chapter can be skipped.

For Ubisecure SSO, LDAP failover is configured in file /usr/local/ubisecure/ubilogin-sso/ubilogin/webapps/uas/jndi.properties. An example of such configuration follows:

java.naming.factory.initial = com.ubisecure.util.ldap.jldap.JLDAP
java.naming.provider.url = ldap://localhost:389/cn=Ubilogin,dc=localhost
java.naming.security.authentication = simple

java.naming.security.principal = cn=Server,ou=System,cn=Ubilogin,dc=localhost
java.naming.security.credentials = secret

com.ubisecure.util.ldap.server.list = ldap://node-1-hostname/ ldap://node-2-hostname/

The order of the servers in the server.list value are insignificant. During startup, both servers are contacted at the same time. The server which responds fastest to the request is used until a failure situation occurs.

For other Ubisecure applications, LDAP failover is configured in the following configuration files:

  • Ubisecure SSO Management: <installation directory>/ubilogin/webapps/ubilogin/WEB-INF/jndi.properties
  • Ubisecure Password application: <installation directory>/ubilogin/webapps/password/WEB-INF/ubilogin.jndi.properties
  • Ubisecure Search: <installation directory>/ubilogin/webapps/search/WEB-INF/jndi.properties
  • Ubisecure OTP Server: <installation directory>/ubilogin/webapps/otpserver/WEB-INF/jndi.properties
  • Ubisecure SSO REST API: <installation directory>/ubilogin/webapps/sso-api/WEB-INF/jndi.properties

These changes must be made on both nodes.

After the change, activate the applications on each node:

Listing 16.
/etc/init.d/ubilogin-server stop
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./config/tomcat/update.sh
/etc/init.d/ubilogin-server start

Verify LDAP failover functionality

Test 1

  • Stop ubilogin-directory on Node 1.
  • Start ubilogin-server on Node 1.
  • Stop ubilogin-directory on Node 2.
  • Start ubilogin-server on Node 2.
  • Check that SSO Management application still responds after a few page refreshes.

Test 2

  • Stop ubilogin-directory on Node 2.
  • Start ubilogin-server on Node 2.
  • Stop ubilogin-directory on Node 1.
  • Start ubilogin-server on Node 1.
  • Check that SSO Management application still responds after a few page refreshes.