Install node 1 - SSO

Steps

Unpack the Software

Unpack the tar archive to /usr/local/ubisecure. Assuming the archive is in the current directory, we could do the following:

Listing 1.
mkdir -p /usr/local/ubisecure
tar xzvf sso-x.x.x.tar.gz -C /usr/local/ubisecure

Copy the configuration template to /usr/local/ubisecure/ubilogin-sso/ubilogin

Listing 2.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
cp config/unix.config .

Install dependencies

For 64 bit Redhat linux, the glibc and libgcc packages for i686 must be installed, update needs to be run for 64bit version of libgcc to prevent version mismatch problem. Linux standard base package is also needed.

Listing 3.
yum install glibc.i686
yum update libgcc
yum install libgcc.i686
yum install lsb

Create Accounting Service user and database

See PostgreSQL preparation on Linux.

Modify the configuration template

Open unix.config file in a text editor. Modify the following keys:

uas.url

Modify the public visible URL address of the Ubisecure SSO deployment, which is set with key uas.url. The installation is only accessible from the local machine if the value is set as localhost. The resulting line for uas.url might look like the following:

Listing 4.
uas.url = https://sso.example.com

This is the publicly visible URL address of your Ubisecure SSO installation. The value must not include a path component and must not end with a '/' character.

This address must be accessible for all users of this installation. In an installation with front-end reverse proxy servers this address refers to the first front-end server that is accessible from the public network.

Accounting Service settings

This step is mandatory since v. 8.4, see Linux single node installation / Modify the configuration template.

ldap.url

Listing 5.
ldap.url = ldap://127.0.0.1:389

Modify ldap.url value from localhost to 127.0.0.1:389

suffix

Listing 6.
suffix = cn=Ubilogin,dc=sso,dc=example,dc=com

The suffix defines the name of the Ubisecure Directory. This value and the uas.url value uniquely identify a Ubisecure SSO installation. The name of the Ubisecure Directory cannot be changed without reinstalling the entire system, so consider carefully your choice for the suffix.

Configure reverse proxy

Listing 7.
proxy.remote-addr-name = X-Forwarded-For
proxy.local.url = http://localhost:8080

The value "X-Forwarded-For" is commonly used by proxy servers to pass the address of the requesting client. The proxy server must be configured to pass the end-user IP address in this header.

Save the changes and close the unix.config file, then create the configuration files with the setup.sh script:

Listing 8.
./setup.sh

if setup.sh execution does not finish quickly, you will have to check that entropy generation settings are in order. Consult this blog post http://www.usn-it.de/index.php/2009/02/20/oracle-11g-jdbc-driver-hangs-blocked-by-devrandom-entropy-pool-empty/ for more information.

Accounting Service additional configuration

This step is mandatory since v. 8,4, see Linux single node installation / Configure Accounting Service.

Set up the System User

A system user ubilogin (default name) will be created automatically by the installation scripts. This user will run the Ubisecure daemons.

LDAP configuration

Add the two rows in Listing 10 to the file /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_server_list.conf on node 1. Modify hostnames to the correct ones.

Listing 9.
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_server_list.conf


These are addresses where Ubisecure Directory is running on different nodes:

Listing 10.
serverID 1 ldap://<node1 hostname>:389
serverID 2 ldap://<node2 hostname>:389

Add the following lines to the file  /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_peer.conf on node 1.

Ensure that all quotation marks are standard quotation marks.

Listing 11.
syncrepl rid=001
 provider=ldap://<node1 hostname>:389
 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com"
 bindmethod=simple
 binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com"
 credentials="secret"
 type=refreshAndPersist
 timeout=1
 retry="1 10 60 10 600 +" 

syncrepl rid=002
 provider=ldap://<node2 hostname>:389
 searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com"
 bindmethod=simple
 binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com"
 credentials="secret"
 type=refreshAndPersist
 timeout=1
 retry="1 10 60 10 600 +"

mirrormode on
#
overlay syncprov

There are configurations for both nodes. rid=001 is node 1 and rid=002 is node 2.

ProviderLDAP address must match Listing 10

Searchbase

Searchbase must match the suffix defined in unix.config
Binddn

Enter suffix from from unix.config

uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com

CredentialsEnter openldap.root.password from unix.config

Modify Ubisecure Directory startup script (settings.sh) on node 1. This is needed so that OpenLDAP shall listen both to the external and internal URLs to support failover.

Listing 12.
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh 

Add node 1 local hostname address ldap://node1host:389 to settings.sh. NOTE that this addition is lost always when the setup script is executed.

Listing 13.
ADD the following new line below the line reading "esac"
LDAP_LISTEN_URLS="ldap://node1host:389 $LDAP_LISTEN_URLS"

Install OpenLDAP

Install and start OpenLDAP using the following command:

Listing 14.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./ldap/openldap/install.sh

If the OpenLDAP install script prompts for LDAP Password, type secret and press return.

Install Ubisecure SSO Tomcat and Accounting Service

Run the Tomcat install script to install and configure Tomcat to start automatically when Linux is started. Since v. 8.4 also the Accounting Service shall be installed as such a service.

The install script starts both of the services.


Listing 15.
./config/tomcat/install.sh

About Accounting Service initial installation:

Start Accounting Service

Start the Ubisecure Accounting service using the following command.

Listing 16.
/etc/init.d/ubisecure-accounting start  
  1. On the first time the necessary database tables are created in your database.
  2. If you are doing the initial Accounting Service installation and the service does not start you may need to change the Accounting Service related settings in the unix.config file before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.

Accounting Service should always be running before SSO is started or otherwise SSO log will be filled with errors but still keeps running if there is enough disk space. SSO can recover without a restart from Accounting Service restart if necessary.

Start Ubisecure SSO

Start the Ubisecure SSO process using the following commands.

Listing 17.
/etc/init.d/ubilogin-directory start  
/etc/init.d/ubilogin-server start

Verify Installation

Continue on page Single node installation finalization to finalize and verify the installation.