/
Upgrade on Windows - SSO

Upgrade on Windows - SSO

2020-02-06

 

Last reviewed: 2020-02-04

 

IMPORTANT: Sign in using an Administrator account - the same account used during initial product installation.

 

Updates from 6.0.x, 6.1 and 6.2 to 6.3 can be done according to these instructions as well.

  1. Make sure you have Java installed, JRE_HOME and JAVA_HOME set according to Installation requirements - SSO.

  2. Stop the services that are running, ubisecureaccounting is a new service since 8.4. 

    net stop ubiloginserver net stop ubilogindirectory net stop ubisecureaccounting

  3. Backup and restore - Ubisecure Directory

  4. Remove SSO and Accounting Service Windows service configurations

    cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" config\tomcat\remove.cmd

  5. Move the existing installation to ubilogin-sso-old directory.  

    cd /d "C:\Program Files\Ubisecure\" move ubilogin-sso ubilogin-sso-old

  6. Extract the archive ubilogin-sso-8.x.x.xxxxx.zip to a temporary location.

  7. Move the complete unzipped ubilogin-sso directory from the distribution package to C:\Program Files\Ubisecure.

  8. Copy win32.config and  config.index file from the older version. Overwrite config.index.

    copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\win32.config" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\config.index" "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config.index"

  9. If upgrading from version prior to 6.8, add the following lines to the file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config, if not there yet. 

    tomcat.instancename = UbiloginServer tomcat.username = NT AUTHORITY\\LocalService adam.username = NT AUTHORITY\\NetworkService

  10. When upgrading to version 8.4 add the Accounting Service related settings if they do not exist in the file C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\win32.config. Modify the settings according to these guidelines.

    # Accounting configuration accounting.url = https://localhost:8442 accounting.proxy.local.url = @accounting.url@ accounting.instancename = UbisecureAccounting accounting.username = @tomcat.username@ accounting.datasource.url = jdbc:postgresql://localhost:5432/accountingdb accounting.datasource.username = accounting.datasource.password = accounting.secret-key-location-uri = file:///${user.dir}/config/accounting-service.secret accounting.actuator.username = accounting_admin accounting.actuator.password = accounting.jms.broker.port = 36161 accounting.jms.broker.socket-timeout-ms = 10

  11. If Accounting Service has already been installed and in use copy Accounting Service logs from the older version:

    mkdir "C:\Program Files\Ubisecure\ubilogin-sso\accounting\logs" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\accounting\logs" "C:\Program Files\Ubisecure\ubilogin-sso\accounting\logs"

  12. If Accounting Service has already been installed and in use depending of the location of your Accounting Service secret key you may need to copy the file from the older version. NOTE: The secret key must be the same during the entire reporting period which is a month, see Accounting Service security. Example (use the path you have set in the configuration):

    mkdir "C:\Program Files\Ubisecure\ubilogin-sso\accounting\config" copy "C:\Program Files\Ubisecure\ubilogin-sso-old\accounting\config\accounting-service.secret" "C:\Program Files\Ubisecure\ubilogin-sso\accounting\config"

  13. Copy the following files and directories (recursively) from the previous installation to the matching ubilogin-sso directory. Note that both Tomcat and Ubisecure SSO logs are retained.

    C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\custom\* C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\config.index C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\methods\* C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\logs\* C:\Program Files\Ubisecure\ubilogin-sso-old\tomcat\logs\* C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\uas\WEB-INF\uas.properties C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\cdc\WEB-INF\config.properties 

  14. If Updating to a version prior to 8.2, copy the following file from the previous installation to the matching ubilogin-sso directory.

    C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\security\cacerts

  15. If Updating from a version prior to 8.2 to version 8.2 or later and using an external user directory (other than Ubilogin Directory) or SMTP server, import the AD and/or SMTP server certificates to the Java keystore file. 

    To view all certificates from the old java keystore file, execute the command:

    C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\security>..\..\bin\keytool -list -keystore cacerts

    To export a certificate from the old java keystore file, execute the command:

    C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\security>..\..\bin\keytool -exportcert -keystore cacerts -alias <"user_defined_alias"> -file <path_to_the_certificate_file>

    To import a certificate to the current java keystore, execute the command:

    C:\Program Files\java\jrex.x.x_xxx\lib\security>..\..\bin\keytool -import -file <path_to_the_certificate_file> -alias <"user_defined_alias"> -keystore cacerts

    To verify that the certificate was succesfully added to the Java keystore, execute the command:

    C:\Program Files\java\jrex.x.x_xxx\lib\security>..\..\bin\keytool -list -keystore cacerts -alias <"user_defined_alias">

  16. Check the Common Domain Cookie Discovery and SAML Compatibility Flags.

  17. Run the setup script

    cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" setup.cmd

  18. When upgrading to version 8.4 install and prepare PostgreSQL. Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service. See PostgreSQL preparation on Windows for more information and steps to accomplish.

  19. Start the UbiloginDirectory service

    net start ubilogindirectory

  20. Upgrading Ubisecure Directory

    To update your ADAM or AD LDS installation, the schema and directory settings of the instance must be updated. Before starting, make sure that you are logged in with the same user account that was used to install ADAM or AD LDS.

    To update the schema and directory settings, execute the command adaminstall.cmd shown below.This command updates the LDAP schema and does not delete existing user or configuration data. 

    cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap" adam\adaminstall.cmd

    At minimum you need to add Accounting Service related settings to LDAP use e.g. this command:

    adam\import-changes.cmd

  21. If you are upgrading from Ubisecure SSO 6.0.0 or 6.0.1 to 6.3, follow the instructions listed in the document Ubisecure SSO Authentication Migration. With newer versions, you can skip this step.

  22. If robots.txt has been changed, copy the following file from the previous installation to the matching ubilogin-sso directory:

    C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\ROOT\robots.txt

  23. If the Password reset and password change application is used, copy the following files and directories from the previous installation to the matching ubilogin-sso directory. Also, edit the server.xml file and check the web.xml file configuration. Skip this step if the Password reset and password change application is not used.Copy the following files to the matching ubilogin-sso directory:

    C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\password.properties C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\saml2

    Edit server.xml file and uncomment:
    <Context path="/password" docBase="${catalina.base}/webapps/password"/>

    notepad C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\conf\server.xml

    Also check web.xml for mail.smtp.host and mail.smtp.from configuration and copy those to new web.xml (C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\webapps\password\WEB-INF\web.xml)

    notepad C:\Program Files\Ubisecure\ubilogin-sso-old\ubilogin\webapps\password\WEB-INF\web.xml

  24. If the environment has an external SQL database, copy the JDBC driver provided by the database vendor from the previous installation to the matching java directory depending on the old and new SSO versions. Skip the step if the environment does not have an external SQL database or if both old and new SSO versions are 8.2 or later.Old and new SSO versions prior 8.2:

    copy C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\ext\{INSERT DRIVER FILENAME} C:\Program Files\Ubisecure\ubilogin-sso\java\windows-x64\jre\lib\ext

    Old SSO version prior to 8.2 and new SSO version 8.2 or later:

    copy C:\Program Files\Ubisecure\ubilogin-sso-old\java\windows-x64\jre\lib\ext\{INSERT DRIVER FILENAME} C:\Program Files\Java\jrex.x.x_xxx\lib\ext{INSERT DRIVER FILENAME}

  25. When upgrading to version 8.4 configure Accounting Service

    Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contents in the location referred by accounting.secret-key-location in win32.config. See Accounting Service security about the usage of the key for pseudonymisation.

    You may also customise other Accounting Service configuration settings for your needs, which is recommended. See Accounting Service additional configuration about the properties to set.

  26. Update Tomcat and Accounting Service configuration and restart the services. Since version 8.4 remove should be done before installation directory is replaced. About Accounting Service start see also Windows single node installation.

    cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin" config\tomcat\install.cmd

  27. The system upgrade is complete. See also Single node installation finalization.

  28.  Either securely remove the backed up ubilogin-sso-old directory, or rename it and store it in a secure location.  All configuration files in the old installation directory (win32.config and unix.config) should either be removed from the system or otherwise protected from unauthorized users.

  29. Clear your web browser’s cache before accessing the user interface.

  30. The user interface has changed in version 7.1 to support responsive design. Existing user interfaces are supported, but must be updated to enable backward compatibility. directory. For each template.properties file in the custom\templates directory, add the following text as the first line of the file

    # enable backward compatibility for SSO 6.x templates@import = sso6

    If the template contains a CSS reference, add the following line to the top of the referenced CSS file.

    /* enable backward compatibility for SSO 6.x templates */@import "sso6.css";

    If the CSS file contains references to graphical or other resources hosted by the Ubisecure SSO as a resource, ensure the resource path is a relative path. An example is shown below:

    #intro {        background-image: url("resource/intro-box-custom-background.png") }

    Test all custom user interfaces. To implement a responsive design, create a new template, removing the “import” lines and adjust the CSS tags to match new CSS design. The responsive CSS is available after default installation at the address (where UAS_URL is the hostname for the installation): 

    https://UAS_URL/uas/template/default/default.css

Ubisecure Privacy Policy & Cookie Statement