Creating the Certificate Key Store for SSL

If you have a production-ready SSL certificate, it is easiest to store it in a keystore.pfx file that is saved in %WILDFLY_HOME%\standalone\configuration\keystore.pfx. If you don't have a production ready server certificate, then you can either create a temporary self-signed one using cert.cmd, to get you started with testing, or buy a production certificate from, for example: https://www.globalsign.com/en/ssl/.

The script cert.cmd will generate a self-signed certificate and deposit it in a key store file called keystore.pfx. This file is saved in %WILDFLY_HOME%\standalone\configuration\keystore.pfx.

cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
cert.cmd

Successful execution will return Creating localhost keystore %WILDFLY_HOME%\standalone\configuration\keystore.pfx

If you are using self-signed certificates (like the one provided by default in the installation of Ubisecure SSO) also with Ubisecure SSO you need to import the public key into the Java certificate store (%JRE_HOME%\lib\security\cacerts file).

Modifying WildFly Service

To change the WildFly service starting type to automatic from the default setting manual run config-wildfly-service.cmd.

cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
config-wildfly-service.cmd

Succesful execution will show [SC] ChangeServiceConfig SUCCESS

Configure WildFly File Permissions

Add LOCAL SERVICE account to WildFly home folder. Modify file permissions for the folder %PROGRAMFILES%\wildfly-x.x.x.Final. Give full control to the LOCAL SERVICE account.

This can be done via the command line

icacls "%PROGRAMFILES%\wildfly-x.x.x.Final" /grant "LOCAL SERVICE:(OI)(CI)(F)"

Successful execution will show Successfully processed 1 files; Failed processing 0 files

And verified in the GUI:

NOTE: For the Ubisecure CustomerID service startup to be successful when the server is restarted, the WildFly service startup needs to be dependent on the data storage services (PostgreSQL and the used LDAP(s)). If the WildFly service starts up before the data storage services then the startup won't succeed.

If PostgreSQL is running on the same server as WildFly, create a startup dependency to ensure PostgreSQL is running before WildFly is started. As the Administrator user, execute the following command: sc config wildfly depend=postgresql

The name of the service can be different in your installation so make sure to check the actual name from Windows Services management view.

Successful execution will show the output

[SC] ChangeServiceConfig SUCCESS

NOTE: Execute the following command as an Administrator if there is a need to remove the depency for any reason (note the space between = and "" symbols):

sc config wildfly depend= ""

Successful execution will show the output

[SC] ChangeServiceConfig SUCCESS

Applying WildFly Configuration Changes

The command config-wildfly.cmd will relocate HTTP and HTTPS ports according to configuration that was specified in win32.config and set up the references to the key store containing the server certificate. It will also set host aliases. Make sure that all phases finish with a success status.

cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
config-wildfly.cmd

Successful execution will return many output lines with each set of lines containing the response "outcome" => "success".

Verifying WildFly SSL Configuration

Open a browser to the server's HTTPS port and verify that the connection is over HTTPS and check that the certificate information is what you would expect under the circumstances. At this point in the installation, no applications have been deployed, however a 404 Page not found error message should be delivered over a TLS connection (HTTPS).

Try accessing the URL: https://<eidm.url>/eidm2/xxx

eidm.url can be found from: %PROGRAMFILES%\Ubisecure\customerid\application\win32.config

If you are using a CA-issued SSL server certificate no browser trust warnings should be displayed. If you are using a self-signed certificate will show browser warnings unless explicitly trusted.

In production systems, a proxy must be used between the CustomerID application server and the user. SSL certificate configuration at the proxy is done according to the proxy vendor product instructions.

Setting Up customerid.home System Property for WildFly

Register the customerid.home environment variable to Wildfly.

Run the script register-customerid-home.cmd in order to set the system property customerid.home on WildFly.

cd /D "%PROGRAMFILES%\ubisecure\customerid\tools"
register-customerid-home.cmd

The command has run successfully if the output shows {"outcome" => "success"}.

Setting Up Audit and Diagnostic logging

Starting from Ubisecure CustomerID 5.0.x, logging is managed centrally via the WildFly Java EE container. The script setup-logging.cmd contacts WildFly management port and then sets up logging configuration to redirect Ubisecure CustomerID specific log entries to separate files. To set up logging, run the following commands in a command prompt:

cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
setup-logging.cmd

The command has run successfully if the output shows {"outcome" => "success"} many times.

Setting Up a Mail Session

The mail session is set up by executing the script create-mail-session.cmd

cd /D "%PROGRAMFILES%\Ubisecure\customerid\tools"
create-mail-session.cmd

The command has run successfully if the output shows {"outcome" => "success"} and "reload required" many times.

NOTE: You need to have defined email related configuration in win32.config in order for the above script to work. Only if you are completely sure that you are not going to send emails from Ubisecure CustomerID, then you can skip this step. Emails are sent for user invitations, role requests, notifications of approvals and password management tasks. In other words, most of use cases require setting up a mail session.

Browser not supported