Install node 2 - SSO
- Tomi Pelttari
Steps
Install dependencies
Make sure you have Java installed, JRE_HOME and JAVA_HOME set according to Installation requirements - SSO.
For 64 bit Redhat linux, the glibc and libgcc packages for i686 must be installed, update needs to be run for 64bit version of libgcc to prevent version mismatch problem. Linux standard base package is also needed.
yum install glibc.i686 yum update libgcc yum install libgcc.i686 yum install lsb
Stop Ubisecure SSO and Accounting Service on node 1
Accounting Service is a new service since 8.4. Shut down node 1 when installing node 2.
On node 1.
/etc/init.d/ubilogin-server stop /etc/init.d/ubilogin-directory stop /etc/init.d/ubisecure-accounting stop
Copy node 1 installation to node 2
On node 2, create ubisecure folder and copy the ubilogin-sso folder from node 1 to node 2.
mkdir -p /usr/local/ubisecure cd /usr/local/ubisecure/ scp -r <username>@<node1>:/usr/local/ubisecure/ubilogin-sso .
LDAP configuration
On node 2, modify Ubisecure Directory startup script (settings.sh)
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh
Add node 2 hostname to ldap://node2host:389 to settings.sh.
Modify the line below the line reading "esac" LDAP_LISTEN_URLS="ldap://node2host:389 $LDAP_LISTEN_URLS"
Install OpenLDAP
Install OpenLDAP service on node 2. A system user ubilogin (default name) will be created automatically by the installation scripts. This user will run the Ubisecure daemons.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./ldap/openldap/install.sh
If the OpenLDAP install script prompts for LDAP Password, type secret and press return.
If OpenLDAP service were started stop ubilogin-directory on node 2 at this point.
/etc/init.d/ubilogin-directory stop
Delete the OpenLDAP database from node 2. It will reappear through replication later. The directory name is based on your LDAP root, for example:
cd /usr/local/ubisecure/ubilogin-sso/openldap/var/openldap-bdb/cn=Ubilogin,dc=sso,dc=example,dc=com rm -f *
Restart the services on node 1:
/etc/init.d/ubisecure-accounting start /etc/init.d/ubilogin-directory start /etc/init.d/ubilogin-server start
Start OpenLDAP service on node 2 with the proper configuration.
/etc/init.d/ubilogin-directory start
Verify LDAP replication
List OpenLDAP folder on node 2 and verify that database files from node 1 have been copied automatically to node 2. The directory name is based on your LDAP root, for example:
ls /usr/local/ubisecure/ubilogin-sso/openldap/var/openldap-bdb/cn=Ubilogin,dc=sso,dc=example,dc=com
Install Ubisecure SSO Tomcat and Accounting Service
Tune the Accounting Service scheduled job settings in node 2, see Accounting Service additional configuration / Recommended changes.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin vi custom/accounting/config/application.yaml
Depending on the Accounting Service secret key location setting you may need to copy a file from node 1 to node 2, see accounting.secret-key-location-uri in SSO Installation Accounting Service settings and Accounting Service security / Pseudonymisation.
Install Ubisecure SSO Tomcat and Accounting Service to node 2:
cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./config/tomcat/install.sh
Start Accounting Service and SSO Tomcat
Start services on node 2.
/etc/init.d/ubisecure-accounting start /etc/init.d/ubilogin-server start
Configuring LDAP failover
Each Ubisecure SSO can be configured to connect to the LDAP directory on the other node in case the local directory cannot be reached. This is recommended if SSO and the directory are run on separate servers. If SSO and directory are run on the same server (default configuration), LDAP failover is not always desired. In this case this chapter can be skipped.
For Ubisecure SSO, LDAP failover is configured in file /usr/local/ubisecure/ubilogin-sso/ubilogin/webapps/uas/WEB-INF/jndi.properties. Add com.ubisecure.util.ldap.server.list setting in the end of the file. An example of such configuration follows:
java.naming.factory.initial = com.ubisecure.util.ldap.jldap.JLDAP java.naming.provider.url = ldap://localhost:389/cn=Ubilogin,dc=sso,dc=example,dc=com java.naming.security.authentication = simple java.naming.security.principal = cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com java.naming.security.credentials = secret com.ubisecure.util.ldap.server.list = ldap://node-1-hostname/ ldap://node-2-hostname/
The order of the servers in the server.list value are insignificant. During startup, both servers are contacted at the same time. The server which responds fastest to the request is used until a failure situation occurs.
For other Ubisecure applications, LDAP failover is configured in the following configuration files:
- Ubisecure SSO Management:
<installation directory>/ubilogin/webapps/ubilogin/WEB-INF/jndi.properties - Ubisecure Password application:
<installation directory>/ubilogin/webapps/password/WEB-INF/ubilogin.jndi.properties - Ubisecure Search:
<installation directory>/ubilogin/webapps/search/WEB-INF/jndi.properties - Ubisecure OTP Server:
<installation directory>/ubilogin/webapps/otpserver/WEB-INF/jndi.properties - Ubisecure SSO REST API:
<installation directory>/ubilogin/webapps/sso-api/WEB-INF/jndi.properties
These changes must be made on both nodes.
After the change, activate the applications on each node:
/etc/init.d/ubilogin-server stop cd /usr/local/ubisecure/ubilogin-sso/ubilogin ./config/tomcat/update.sh /etc/init.d/ubilogin-server start
Verify LDAP failover functionality
Start from the situation where both ubilogin-directoy and ubilogin-server are running on both nodes. In the diagrams below node 1 is on the left hand side and node 2 on the right hand side.
Test 1
Check after each step that SSO Management application still responds after a few page refreshes.
- Stop ubilogin-directory on node 2
- Stop ubilogin-server on node 1
Test 2
Check after each step that SSO Management application still responds after a few page refreshes.
- Stop ubilogin-directory on node 1
- Stop ubilogin-server on node 2