Install node 1 - SSO
Steps
- 1 Unpack the Software
- 1.1 Listing 1.
- 1.2 Listing 2.
- 2 Install dependencies
- 2.1 Listing 3.
- 3 Create Accounting Service user and database
- 4 Modify the configuration template
- 4.1 uas.url
- 4.1.1 Listing 4.
- 4.2 Accounting Service settings
- 4.3 ldap.url
- 4.3.1 Listing 5.
- 4.4 suffix
- 4.4.1 Listing 6.
- 4.5 Configure reverse proxy
- 4.5.1 Listing 7.
- 4.5.2 Listing 8.
- 4.6 Accounting Service additional configuration
- 4.1 uas.url
- 5 Set up the System User
- 6 LDAP configuration
- 6.1 Listing 9.
- 6.2 Listing 10.
- 6.3 Listing 11.
- 6.4 Listing 12.
- 6.5 Listing 13.
- 7 Install OpenLDAP
- 7.1 Listing 14.
- 8 Install Ubisecure SSO Tomcat and Accounting Service
- 8.1 Listing 15.
- 9 Start Accounting Service
- 9.1 Listing 16.
- 10 Start Ubisecure SSO
- 10.1 Listing 17.
- 11 Verify Installation
Unpack the Software
Unpack the tar archive to /usr/local/ubisecure. Assuming the archive is in the current directory, we could do the following:
Listing 1.
mkdir -p /usr/local/ubisecure
tar xzvf sso-x.x.x.tar.gz -C /usr/local/ubisecureCopy the configuration template to /usr/local/ubisecure/ubilogin-sso/ubilogin
Listing 2.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
cp config/unix.config .Install dependencies
For 64 bit Redhat linux, the glibc and libgcc packages for i686 must be installed, update needs to be run for 64bit version of libgcc to prevent version mismatch problem. Linux standard base package is also needed.
Listing 3.
yum install glibc.i686
yum update libgcc
yum install libgcc.i686
yum install lsbCreate Accounting Service user and database
See PostgreSQL preparation on Linux.
Modify the configuration template
Open unix.config file in a text editor. Modify the following keys:
uas.url
Modify the public visible URL address of the Ubisecure SSO deployment, which is set with key uas.url. The installation is only accessible from the local machine if the value is set as localhost. The resulting line for uas.url might look like the following:
Listing 4.
uas.url = https://sso.example.comThis is the publicly visible URL address of your Ubisecure SSO installation. The value must not include a path component and must not end with a '/' character.
This address must be accessible for all users of this installation. In an installation with front-end reverse proxy servers this address refers to the first front-end server that is accessible from the public network.
Accounting Service settings
This step is mandatory since v. 8.4, see Linux single node installation / Modify the configuration template.
ldap.url
Listing 5.
ldap.url = ldap://127.0.0.1:389Modify ldap.url value from localhost to 127.0.0.1:389
suffix
Listing 6.
suffix = cn=Ubilogin,dc=sso,dc=example,dc=comThe suffix defines the name of the Ubisecure Directory. This value and the uas.url value uniquely identify a Ubisecure SSO installation. The name of the Ubisecure Directory cannot be changed without reinstalling the entire system, so consider carefully your choice for the suffix.
Configure reverse proxy
Listing 7.
proxy.remote-addr-name = X-Forwarded-For
proxy.local.url = http://localhost:8080The value "X-Forwarded-For" is commonly used by proxy servers to pass the address of the requesting client. The proxy server must be configured to pass the end-user IP address in this header.
Save the changes and close the unix.config file, then create the configuration files with the setup.sh script:
Listing 8.
./setup.shif setup.sh execution does not finish quickly, you will have to check that entropy generation settings are in order. Consult this blog post http://www.usn-it.de/index.php/2009/02/20/oracle-11g-jdbc-driver-hangs-blocked-by-devrandom-entropy-pool-empty/ for more information.
Accounting Service additional configuration
This step is mandatory since v. 8,4, see Linux single node installation / Configure Accounting Service.
Set up the System User
A system user ubilogin (default name) will be created automatically by the installation scripts. This user will run the Ubisecure daemons.
LDAP configuration
Add the two rows in Listing 10 to the file /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_server_list.conf on node 1. Modify hostnames to the correct ones.
Listing 9.
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_server_list.conf
These are addresses where Ubisecure Directory is running on different nodes:
Listing 10.
serverID 1 ldap://<node1 hostname>:389
serverID 2 ldap://<node2 hostname>:389Add the following lines to the file /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap/ldap_peer.conf on node 1.
Ensure that all quotation marks are standard quotation marks.
Listing 11.
syncrepl rid=001
provider=ldap://<node1 hostname>:389
searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com"
bindmethod=simple
binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com"
credentials="secret"
type=refreshAndPersist
timeout=1
retry="1 10 60 10 600 +"
syncrepl rid=002
provider=ldap://<node2 hostname>:389
searchbase="cn=Ubilogin,dc=sso,dc=example,dc=com"
bindmethod=simple
binddn="uid=System,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com"
credentials="secret"
type=refreshAndPersist
timeout=1
retry="1 10 60 10 600 +"
mirrormode on
#
overlay syncprovThere are configurations for both nodes. rid=001 is node 1 and rid=002 is node 2.
Provider | LDAP address must match Listing 10 |
Searchbase | Searchbase must match the suffix defined in |
Binddn | Enter suffix from from
|
Credentials | Enter |
Modify Ubisecure Directory startup script (settings.sh) on node 1. This is needed so that OpenLDAP shall listen both to the external and internal URLs to support failover.
Listing 12.
vi /usr/local/ubisecure/ubilogin-sso/ubilogin/config/settings.sh Add node 1 local hostname address ldap://node1host:389 to settings.sh. NOTE that this addition is lost always when the setup script is executed.
Listing 13.
ADD the following new line below the line reading "esac"
LDAP_LISTEN_URLS="ldap://node1host:389 $LDAP_LISTEN_URLS"Install OpenLDAP
Install and start OpenLDAP using the following command:
Listing 14.
cd /usr/local/ubisecure/ubilogin-sso/ubilogin
./ldap/openldap/install.sh
If the OpenLDAP install script prompts for LDAP Password, type secret and press return.
Install Ubisecure SSO Tomcat and Accounting Service
Run the Tomcat install script to install and configure Tomcat to start automatically when Linux is started. Since v. 8.4 also the Accounting Service shall be installed as such a service.
The install script starts both of the services.
Listing 15.
./config/tomcat/install.shAbout Accounting Service initial installation:
On the first time the necessary database tables are created in your database.
If the service does not start you may need to change the Accounting Service related settings in the
unix.configfile before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.
Start Accounting Service
Start the Ubisecure Accounting service using the following command.
Listing 16.
/etc/init.d/ubisecure-accounting start
On the first time the necessary database tables are created in your database.
If you are doing the initial Accounting Service installation and the service does not start you may need to change the Accounting Service related settings in the
unix.configfile before continuing. see Change configuration settings during installation process in Linux. See also Troubleshooting Accounting Service.
Accounting Service should always be running before SSO is started or otherwise SSO log will be filled with errors but still keeps running if there is enough disk space. SSO can recover without a restart from Accounting Service restart if necessary.
Start Ubisecure SSO
Start the Ubisecure SSO process using the following commands.
Listing 17.
/etc/init.d/ubilogin-directory start
/etc/init.d/ubilogin-server start
Verify Installation
Continue on page Single node installation finalization to finalize and verify the installation.